Linksys SPA-922: SRTP and Certificate Setup

This how-to is for everyone who intends to encrypt voice over IP (VoIP) calls using the Linksys SPA-9XX (SPA-922). The encryption is accomplished by SRTP.

Currently, there is an online service available on However, the following text is dedicated for those who choose not to rely on some third party service and want to make it on their own.

A Step-by-Step How-To

First of all, download the following software and compile as per the instructions below.

gen_mc Script

Open the link and find section “gen_mc” replacement and download the tar.gz file. Remove the mp3 extension from the downloaded file as it is a gen-mc.c-v0.98.tar.gz file.

Untar and Compile

Assuming any Linux command line (Bash, etc.) availability, uncompress the tar file:

tar -xvf gen-mc.c-v0.98.tar.gz

and compile:

cc gen-mc.c -o gen-mc -lssl -lcrypto -lz

Once the compiler returns: “Warning: format not a string literal and no format arguments”, it is necessary to update the source code by replacing

fprintf( stderr, help );


fprintf( stderr, "%s", help );

and recompile it.

If compiled successfully, the unparametrized usage of gen-mc should produce the “man page”

Usage: gen-mc -k  -d  -u  [other options]

Once the result is “Unable to execute … Permission denied”, then beware of using spaces and “strange” characters in the directory path to the gen-mc file.

Certificate and Passkey Generation

Generate a CA certificate (cakey.pem) using the OpenSSL software by executing:

openssl genrsa -out cakey.pem 1024

Now, generate the mini_cert.b64 a user_pk.b64 text files to get a mini certificate and and passkey using:

./gen-mc -k cakey.pem -d TELNUMBER -u TELNUMBER

where the TELNUMBER is like 234567890 (an example for the Czech Republic).

Upgrade the SPA

  1. Open the admin and advanced setup URL of the telephone.
  2. Click on the Ext1 option.
  3. Copy the mini_cert.b64 content into the “Mini Certificate:” field.
  4. Copy the user_pk.b64 content into the “SRTP Private Key:” field.
  5. Set “Use Auth ID” option to “no”.
  6. Click on the User option and set the “Secure Call Setting:” option to “yes”.

Using the same cakey.pem file, it works and you can hear three specific beeps during the call setup after which the call is encrypted (you can use Wireshark to sniff the traffic) and in the Line 1 section that the call is “Secure” (while the call is set up).


This entry was posted in Linux, Security, VoIP and tagged , , , , , , , , . Bookmark the permalink.