200 OK Cisco Crowdsources Critical Announcements: SSL Certificate Changes on SPA-500 phones


The Cisco Small Business SPA-500 series phones (such as the SPA-502G, SPA-508G) include a Cisco-signed SSL certificate. Until very recently, all of the Cisco SPA-500-series phones shipped were signed by a Sipura certificate. Sipura was the Korean company that was bought by Linksys before Linksys was bought by Cisco.

Sometime after August 2013, Cisco Small Business started shipping phones signed with a different certificate. Cisco Small Business failed to inform the largest telephone company in the world so it could prepare for this change.

Cisco has issued a new certificate that can be used to verify the new client certificates. Dan Lukes used the Cisco discussion forum to helpfully post the new certificates. We're all glad Cisco hosts the site to enable their customer Dan Lukes to post the information that Cisco should have posted.

Using Apache HTTPD, you can load the text below as a certificate, then setup a directory to require the client certificate:

        SSLCACertificateFile /etc/httpd/conf/ssl.crt/cisco_small_business_cert_20140802.crt
        <Location /spa500>
              SSLRequireSSL
              SSLVerifyClient require
              SSLVerifyDepth 10
        </Location>

In honor of the United States' Belt-and-Suspenders approach to ebola prevention, 200OK.info is posting the certificate here.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d0:7d:8c:15:c0:ba:7c:b6:44:69:98:b1:ea:89:87:9f
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=San Jose, O=Cisco Small Business, OU=Cisco Small Business Certificate Authority, CN=Cisco Small Business Client Root Authority 2/emailAddress=ciscosb-certadmin@cisco.com
        Validity
            Not Before: Aug  2 22:37:43 2013 GMT
            Not After : Jun 28 22:37:43 2035 GMT
        Subject: C=US, ST=California, L=San Jose, O=Cisco Small Business, OU=Cisco Small Business Certificate Authority, CN=Cisco Small Business Client Root Authority 2/emailAddress=ciscosb-certadmin@cisco.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:bf:c2:f8:3a:e6:c6:89:21:8c:82:a0:79:91:73:
                    72:f3:74:d5:a8:4e:a7:3d:7b:02:ab:6b:2c:8d:71:
                    82:02:76:7a:fa:bf:2e:8c:e7:b0:47:15:96:ab:83:
                    8f:48:0d:e7:e7:15:f2:ed:54:2e:cd:7d:e3:36:34:
                    f6:eb:05:a3:d5:39:57:2e:6a:ee:b2:0a:b7:7b:a6:
                    dd:82:e9:6a:94:01:2f:89:1d:52:93:f4:ec:23:08:
                    ae:6f:04:0a:94:5d:92:94:d6:3a:c4:58:69:da:2b:
                    2e:64:cf:77:0e:29:82:c3:be:7d:7a:eb:f8:f4:d1:
                    5c:18:77:85:a4:5e:e8:1e:51:f6:d4:79:f1:e1:c8:
                    44:7c:67:ad:9c:f7:9b:80:74:1f:32:05:79:c3:d5:
                    67:41:df:1c:80:9a:10:57:80:9b:7e:ab:e6:50:24:
                    82:42:06:cf:df:34:7d:0a:e9:70:56:dc:6f:0a:c5:
                    1b:32:7a:f0:e1:73:2e:21:d4:92:7a:d6:53:96:83:
                    b3:8d:82:bc:7f:5e:03:ed:e9:7e:63:39:bb:37:0a:
                    c6:32:c7:fe:db:3f:b0:8a:02:85:83:78:2a:87:32:
                    5a:b1:82:ff:38:df:0d:4b:83:31:8e:af:78:e6:79:
                    46:94:8e:2e:c3:18:34:36:31:90:b6:3a:89:1e:06:
                    1a:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                F8:C2:33:67:A9:12:FC:5D:43:23:9E:55:D3:7E:57:40:1A:55:42:10
            X509v3 Authority Key Identifier:
                keyid:F8:C2:33:67:A9:12:FC:5D:43:23:9E:55:D3:7E:57:40:1A:55:42:10
                DirName:/C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority/CN=Cisco Small Business Client Root Authority 2/emailAddress=ciscosb-certadmin@cisco.com
                serial:D0:7D:8C:15:C0:BA:7C:B6:44:69:98:B1:EA:89:87:9F

            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Cert Type:
                SSL CA
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
        98:95:36:35:98:51:26:92:66:c6:db:cd:ad:1a:a9:7f:12:2c:
        02:c3:36:28:4f:05:20:f3:85:a2:a1:f7:4d:6c:4b:68:47:0a:
        6f:f9:f3:6e:fa:e7:cf:cc:57:a5:7f:60:d6:d9:ba:7f:f3:81:
        16:e2:d7:c5:83:0c:1a:84:82:24:9a:ab:5f:20:5c:21:26:24:
        b7:6d:03:5f:ad:8e:10:9b:8c:2b:9a:6c:bc:a0:0c:4d:5c:52:
        d7:00:bb:ff:b9:73:aa:17:69:98:ca:a5:4c:79:bc:9e:73:48:
        b1:b5:c1:90:d8:88:89:f4:a2:55:bb:78:6b:e8:91:37:19:3f:
        37:7d:20:c4:ea:c1:f3:17:f1:4f:49:b5:6d:fe:f3:24:3b:f1:
        84:98:d0:0e:f4:24:bd:7e:e7:86:ee:6f:ff:7d:6c:49:fa:75:
        4d:d9:eb:f8:7c:1f:cd:3d:c3:16:33:23:38:8c:96:72:62:50:
        2d:6f:ea:68:0c:a6:ba:bb:0e:08:f5:5d:e9:c0:d2:c9:be:f3:
        ae:73:ae:63:ba:f6:8d:34:e9:60:b1:6e:a2:f8:cb:8b:fd:03:
        2c:c1:91:e0:45:12:e6:26:98:8a:51:16:6f:5c:36:20:6f:fd:
        99:96:3a:7b:8b:b1:56:2c:de:b7:91:ec:36:bc:14:56:c3:df:
        62:fd:d4:36
-----BEGIN CERTIFICATE-----
MIIF7zCCBNegAwIBAgIRANB9jBXAuny2RGmYseqJh58wDQYJKoZIhvcNAQEFBQAw
gewxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhT
YW4gSm9zZTEdMBsGA1UEChMUQ2lzY28gU21hbGwgQnVzaW5lc3MxMzAxBgNVBAsT
KkNpc2NvIFNtYWxsIEJ1c2luZXNzIENlcnRpZmljYXRlIEF1dGhvcml0eTE1MDMG
A1UEAxMsQ2lzY28gU21hbGwgQnVzaW5lc3MgQ2xpZW50IFJvb3QgQXV0aG9yaXR5
IDIxKjAoBgkqhkiG9w0BCQEWG2Npc2Nvc2ItY2VydGFkbWluQGNpc2NvLmNvbTAe
Fw0xMzA4MDIyMjM3NDNaFw0zNTA2MjgyMjM3NDNaMIHsMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxHTAbBgNVBAoT
FENpc2NvIFNtYWxsIEJ1c2luZXNzMTMwMQYDVQQLEypDaXNjbyBTbWFsbCBCdXNp
bmVzcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxNTAzBgNVBAMTLENpc2NvIFNtYWxs
IEJ1c2luZXNzIENsaWVudCBSb290IEF1dGhvcml0eSAyMSowKAYJKoZIhvcNAQkB
FhtjaXNjb3NiLWNlcnRhZG1pbkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC/wvg65saJIYyCoHmRc3LzdNWoTqc9ewKrayyNcYICdnr6
vy6M57BHFZarg49IDefnFfLtVC7NfeM2NPbrBaPVOVcuau6yCrd7pt2C6WqUAS+J
HVKT9OwjCK5vBAqUXZKU1jrEWGnaKy5kz3cOKYLDvn166/j00VwYd4WkXugeUfbU
efHhyER8Z62c95uAdB8yBXnD1WdB3xyAmhBXgJt+q+ZQJIJCBs/fNH0K6XBW3G8K
xRsyevDhcy4h1JJ61lOWg7ONgrx/XgPt6X5jObs3CsYyx/7bP7CKAoWDeCqHMlqx
gv843w1LgzGOr3jmeUaUji7DGDQ2MZC2OokeBhpnAgMBAAGjggGIMIIBhDAdBgNV
HQ4EFgQU+MIzZ6kS/F1DI55V035XQBpVQhAwggErBgNVHSMEggEiMIIBHoAU+MIz
Z6kS/F1DI55V035XQBpVQhChgfKkge8wgewxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEdMBsGA1UEChMUQ2lzY28g
U21hbGwgQnVzaW5lc3MxMzAxBgNVBAsTKkNpc2NvIFNtYWxsIEJ1c2luZXNzIENl
cnRpZmljYXRlIEF1dGhvcml0eTE1MDMGA1UEAxMsQ2lzY28gU21hbGwgQnVzaW5l
c3MgQ2xpZW50IFJvb3QgQXV0aG9yaXR5IDIxKjAoBgkqhkiG9w0BCQEWG2Npc2Nv
c2ItY2VydGFkbWluQGNpc2NvLmNvbYIRANB9jBXAuny2RGmYseqJh58wDAYDVR0T
BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
DQYJKoZIhvcNAQEFBQADggEBAJiVNjWYUSaSZsbbza0aqX8SLALDNihPBSDzhaKh
901sS2hHCm/5827658/MV6V/YNbZun/zgRbi18WDDBqEgiSaq18gXCEmJLdtA1+t
jhCbjCuabLygDE1cUtcAu/+5c6oXaZjKpUx5vJ5zSLG1wZDYiIn0olW7eGvokTcZ
Pzd9IMTqwfMX8U9JtW3+8yQ78YSY0A70JL1+54bub/99bEn6dU3Z6/h8H809wxYz
IziMlnJiUC1v6mgMprq7Dgj1XenA0sm+865zrmO69o006WCxbqL4y4v9AyzBkeBF
EuYmmIpRFm9cNiBv/ZmWOnuLsVYs3reR7Da8FFbD32L91DY=
-----END CERTIFICATE-----

For completeness, this is the older Certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            45:bf:48:c0:ce:b8:8f:7b:c8:e1:6d:85:62:5a:5b:8f
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=California, L=San Jose, O=Sipura Technology, Inc., OU=Sipura Technology Certificate Authority, CN=Sipura Technology Client Root Authority 1/emailAddress=webmaster@sipura.com
        Validity
            Not Before: Feb  7 22:29:57 2004 GMT
            Not After : Jan 30 22:29:57 2034 GMT
        Subject: C=US, ST=California, L=San Jose, O=Sipura Technology, Inc., OU=Sipura Technology Certificate Authority, CN=Sipura Technology Client Root Authority 1/emailAddress=webmaster@sipura.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:e7:21:ce:9b:39:d1:18:1b:d3:c7:50:b5:fc:8c:
                    71:a9:9d:72:5c:1a:64:8c:fc:fd:a6:51:c6:b2:41:
                    ee:2f:c9:ec:13:d3:9b:4c:af:ec:1a:93:43:6b:c4:
                    2e:00:45:29:d2:49:14:db:f9:f1:1b:f0:1f:28:b4:
                    53:c0:63:fc:85:b4:3d:f5:e9:5c:3b:e7:57:bf:b5:
                    e4:19:fc:93:3f:ec:d0:ea:ae:de:aa:42:0a:2d:fa:
                    33:8f:42:bf:69:b9:4f:ce:12:34:52:26:3f:f8:01:
                    d2:56:69:70:9e:01:c5:62:d6:13:94:f2:06:dc:e2:
                    af:3e:ef:2b:2a:c5:55:a5:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                4C:83:38:2B:9D:C6:E3:65:AB:19:51:31:A5:C9:35:9B:51:0A:23:21
            X509v3 Authority Key Identifier:
                keyid:4C:83:38:2B:9D:C6:E3:65:AB:19:51:31:A5:C9:35:9B:51:0A:23:21
                DirName:/C=US/ST=California/L=San Jose/O=Sipura Technology, Inc./OU=Sipura Technology Certificate Authority/CN=Sipura Technology Client Root Authority 1/emailAddress=webmaster@sipura.com
                serial:45:BF:48:C0:CE:B8:8F:7B:C8:E1:6D:85:62:5A:5B:8F

            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Cert Type:
                SSL CA
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Signature Algorithm: md5WithRSAEncryption
        8e:ea:90:83:84:b9:9f:d7:8d:77:65:e0:42:cd:d2:71:58:23:
        51:41:5e:52:df:10:55:4e:4f:03:19:41:6e:02:d8:4f:f8:ce:
        4b:7e:6f:2a:95:b2:7d:55:b2:c2:f4:ff:37:03:87:e1:b0:9d:
        c3:b2:64:8a:bb:f3:c2:7e:c2:8f:46:b0:9d:e9:2b:d0:f4:b1:
        81:d4:5a:21:f0:0b:14:d1:09:da:30:a6:6e:63:09:8b:f7:9f:
        b9:81:8f:b5:a9:0c:34:8f:9e:6d:6e:4a:50:92:e3:71:66:86:
        56:ca:e0:f9:3c:39:5f:e3:9c:d2:d6:7b:65:35:22:09:6f:fa:
        a0:e9
-----BEGIN CERTIFICATE-----
MIIEyjCCBDOgAwIBAgIQRb9IwM64j3vI4W2FYlpbjzANBgkqhkiG9w0BAQQFADCB
4jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNh
biBKb3NlMSAwHgYDVQQKExdTaXB1cmEgVGVjaG5vbG9neSwgSW5jLjEwMC4GA1UE
CxMnU2lwdXJhIFRlY2hub2xvZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MTIwMAYD
VQQDEylTaXB1cmEgVGVjaG5vbG9neSBDbGllbnQgUm9vdCBBdXRob3JpdHkgMTEj
MCEGCSqGSIb3DQEJARYUd2VibWFzdGVyQHNpcHVyYS5jb20wHhcNMDQwMjA3MjIy
OTU3WhcNMzQwMTMwMjIyOTU3WjCB4jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMSAwHgYDVQQKExdTaXB1cmEgVGVj
aG5vbG9neSwgSW5jLjEwMC4GA1UECxMnU2lwdXJhIFRlY2hub2xvZ3kgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MTIwMAYDVQQDEylTaXB1cmEgVGVjaG5vbG9neSBDbGll
bnQgUm9vdCBBdXRob3JpdHkgMTEjMCEGCSqGSIb3DQEJARYUd2VibWFzdGVyQHNp
cHVyYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOchzps50Rgb08dQ
tfyMcamdclwaZIz8/aZRxrJB7i/J7BPTm0yv7BqTQ2vELgBFKdJJFNv58RvwHyi0
U8Bj/IW0PfXpXDvnV7+15Bn8kz/s0Oqu3qpCCi36M49Cv2m5T84SNFImP/gB0lZp
cJ4BxWLWE5TyBtzirz7vKyrFVaX1AgMBAAGjggF9MIIBeTAdBgNVHQ4EFgQUTIM4
K53G42WrGVExpck1m1EKIyEwggEgBgNVHSMEggEXMIIBE4AUTIM4K53G42WrGVEx
pck1m1EKIyGhgeikgeUwgeIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMREwDwYDVQQHEwhTYW4gSm9zZTEgMB4GA1UEChMXU2lwdXJhIFRlY2hub2xv
Z3ksIEluYy4xMDAuBgNVBAsTJ1NpcHVyYSBUZWNobm9sb2d5IENlcnRpZmljYXRl
IEF1dGhvcml0eTEyMDAGA1UEAxMpU2lwdXJhIFRlY2hub2xvZ3kgQ2xpZW50IFJv
b3QgQXV0aG9yaXR5IDExIzAhBgkqhkiG9w0BCQEWFHdlYm1hc3RlckBzaXB1cmEu
Y29tghBFv0jAzriPe8jhbYViWluPMAwGA1UdEwQFMAMBAf8wEQYJYIZIAYb4QgEB
BAQDAgIEMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBAUAA4GBAI7q
kIOEuZ/XjXdl4ELN0nFYI1FBXlLfEFVOTwMZQW4C2E/4zkt+byqVsn1VssL0/zcD
h+GwncOyZIq788J+wo9GsJ3pK9D0sYHUWiHwCxTRCdowpm5jCYv3n7mBj7WpDDSP
nm1uSlCS43FmhlbK4Pk8OV/jnNLWe2U1Iglv+qDp
-----END CERTIFICATE-----

Thanks to my colleague Jon Chleboun, as well as Daniel Cruz, and Dan Lukes.