Creating trustpoints and generating certificates – Cisco ASA 5505 User Manual

Page 1045

Advertising
background image

49-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection

Configuring the TLS Proxy for Encrypted Voice Inspection

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_1/nci/p08/secuauth.htm

Note

You will need the CTL Client that is released with Cisco Unified CallManager Release 5.1 to
interoperate with the security appliance. See the

“CTL Client Overview” section on page 49-3

for more information regarding TLS proxy support.

Creating Trustpoints and Generating Certificates

The Cisco UCM proxy certificate could be self-signed or issued by a third-party CA. The certificate is
exported to the CTL client.

Prerequisites

Import the required certificates, which are stored on the Cisco UCM. See the

“Certificates from the Cisco

UCM” section on page 48-7

and the

“Importing Certificates from the Cisco UCM” section on

page 48-15

.

Command

Purpose

Step 1

hostname(config)# crypto key generate rsa label

key-pair-label modulus size

Examples:

hostname(config)# crypto key generate rsa label

ccm_proxy_key modulus 1024

hostname(config)# crypto key generate rsa label

ldc_signer_key modulus 1024

hostname(config)# crypto key generate rsa label

phone_common modulus 1024

Creates the RSA keypair that can be used for the
trustpoints.

The keypair is used by the self-signed certificate
presented to the local domain containing the Cisco
UP (proxy for the remote entity).

Note

We recommend that you create a different
key pair for each role.

Step 2

hostname(config)# crypto ca trustpoint

trustpoint_name

Example:

hostname(config)# ! for self-signed CCM proxy

certificate

hostname(config)# crypto ca trustpoint ccm_proxy

Enters the trustpoint configuration mode for the
specified trustpoint so that you can create the
trustpoint for the Cisco UMA server.

A trustpoint represents a CA identity and possibly a
device identity, based on a certificate issued by the
CA.

Step 3

hostname(config-ca-trustpoint)# enrollment self

Generates a self-signed certificate.

Step 4

hostname(config-ca-trustpoint)# fqdn none

Specifies not to include a fully qualified domain
name (FQDN) in the Subject Alternative Name
extension of the certificate during enrollment.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals