Creating the tls proxy for a mixed-mode, If t – Cisco ASA 5505 User Manual

48-21

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 48 Configuring the Cisco Phone Proxy

Configuring the Phone Proxy

What to Do Next

Once you have created the TLS proxy instance, create the phone proxy instance. See

Creating the Phone

Proxy Instance, page 48-23

.

Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster

For mixed mode clusters, there might be IP phones that are already configured as encrypted so it requires
TLS to the Cisco UCM. You must configure the LDC issuer for the TLS proxy.

Command

Purpose

Step 1

hostname(config)# crypto key generate rsa label

key-pair-label modulus size

Examples:

hostname(config)# crypto key generate rsa label

ldc_signer_key modulus 1024

hostname(config)# crypto key generate rsa label

phone_common modulus 1024

Creates the necessary RSA key pairs.

Where the

key-pair-label

is the LDC signer key

and the key for the IP phones.

Step 2

hostname(config)# crypto ca trustpoint

trustpoint_name

Example:

hostname(config)# crypto ca trustpoint ldc_server

Creates an internal local CA to sign the LDC for
Cisco IP phones.

Where the trustpoint_name is for the LDC.

Step 3

hostname(config-ca-trustpoint)# enrollment self

Generates a self-signed certificate.

Step 4

hostname(config-ca-trustpoint)# proxy-ldc-issuer

Defines the local CA role for the trustpoint to issue
dynamic certificates for the TLS proxy.

Step 5

hostname(config-ca-trustpoint)# fqdn fqdn

Example:

hostname(config-ca-trustpoint)# fqdn

my_ldc_ca.example.com

Includes the indicated FQDN in the Subject
Alternative Name extension of the certificate during
enrollment.

Where the fqdn is for the LDC.

Step 6

hostname(config-ca-trustpoint)# subject-name

X.500_name

Example:

hostname(config-ca-trustpoint)# subject-name

cn=FW_LDC_SIGNER_172_23_45_200

Includes the indicated subject DN in the certificate
during enrollment

Where the X.500_name is for the LDC.

Use commas to separate attribute-value pairs. Insert
quotation marks around any value that contains
commas or spaces.

For example:

cn=crl,ou=certs,o="cisco systems, inc.",c=US

The maximum length is 500 characters.

Step 7

hostname(config-ca-trustpoint)# keypair keypair

Example:

hostname(config-ca-trustpoint)# keypair

ldc_signer_key

Specifies the key pair whose public key is to be
certified.

Where the keypair is for the LDC.

Step 8

hostname(config)# crypto ca enroll ldc_server

Example:

hostname(config)# crypto ca enroll ldc_server

Starts the enrollment process with the CA.

Step 9

hostname(config)# tls-proxy proxy_name

Example:

tls-proxy mytls

Creates the TLS proxy instance.