Extended Brain Storage

Linksys SPA-922: SRTP and Certificate Setup

Posted on December 11, 2012

This how-to is for everyone who intends to encrypt voice over IP (VoIP) calls using the Linksys SPA-9XX (SPA-922). The encryption is accomplished by SRTP.

Currently, there is an online service available on voxilla.com. However, the following text is dedicated for those who choose not to rely on some third party service and want to make it on their own….

A Step-by-Step How-To

First of all, download the following software and compile as per the instructions below.

Open the megajournal.ru link and find section “gen_mc” replacement and download the tar.gz file (ideally to the /tmp directory). Remove the mp3 extension from the downloaded file as it is a gen-mc.c-v0.98.tar.gz file.

Assuming any Linux command line (bash, etc.) availability, uncompress the tar file:

$ tar -xvf gen-mc.c-v0.98.tar.gz

and compile:

$ cc gen-mc.c -o gen-mc -lssl -lcrypto -lz

Once the compiler returns: “Warning: format not a string literal and no format arguments”, it is necessary to update the source code by replacing:

fprintf( stderr, help );


fprintf( stderr, "%s", help );

and recompile it.

If compiled successfully, the unparametrized usage of gen-mc should produce the “man page”:

$ ./gen-mc
Usage: gen-mc -k  -d  -u  [other options]

Once the result is “Unable to execute ... Permission denied”, then beware of using spaces and “strange” characters in the directory path to the gen-mc file.

Certificate and Passkey Generation

Generate a CA certificate (cakey.pem) using the OpenSSL software by executing:

$ openssl genrsa -out cakey.pem 1024

Now, generate the mini_cert.b64 and user_pk.b64 text files to get a mini certificate and a passkey using:

$ ./gen-mc -k cakey.pem -d TELNUMBER -u TELNUMBER

where the TELNUMBER is like 234567890 (an example for the Czech Republic).

Upgrade the SPA Device

  1. Open the admin and advanced setup URL of the telephone.
  2. Click on the Ext1 option.
  3. Copy the mini_cert.b64 content into the Mini Certificate: field.
  4. Copy the user_pk.b64 content into the SRTP Private Key: field.
  5. Set Use Auth ID option to no.
  6. Click on the User option and set the Secure Call Setting: option to yes.

Using the same cakey.pem file, it works and you can hear three specific beeps during the call setup after which the call is encrypted (you can use Wireshark to sniff the traffic) and in the Line 1 section that the call is “Secure” (while the call is set up).


  1. http://forum.ixbt.com/topic.cgi?id=88:3038
  2. http://www.telefonujeme.cz/about3605.html

Tags: #certificate #Linksys #SPA #SPA-922 #SPA-9XX #SRTP #VoIP

⏴ Previous Post Next Post ⏵