48-18
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter48 Configuring the Cisco Phone Proxy
Configuring the Phone Proxy
Prerequisites
Import the required certificates, which are stored on the Cisco UCM. See Certificates from the Cisco
UCM, page 48-7 and Importing Certificates from the Cisco UCM, page48-15.
What to Do Next
Once you have created the trustpoints and generated the certificates, create the CTL file for the phone
proxy. See Creating the CTL File, page48-18.
If you are configuring the phone proxy in a mixed-mode cluster, you can use an existing CTL file. See
Using an Existing CTL File, page48-20.
Creating the CTL File
Create the CTL file that will be presented to the IP phones during the TFTP requests.
Command Purpose
Step1 hostname(config)# crypto key generate rsa label
key-pair-label modulus size
Example:
crypto key generate rsa label cucmtftp_kp modulus
1024
Creates a keypair that can be used for the trustpoints.
Step2 hostname(config)# crypto ca trustpoint
trustpoint_name
Example:
crypto ca trustpoint cucm_tftp_server
Creates the trustpoints for each entity in the network
(primary Cisco UCM, secondary Cisco UCM, and
TFTP server).
Note You are only required to create a separate
trustpoint for the TFTP server when the
TFTP server resides on a different server
from the Cisco UCM. See Example 3:
Mixed-mode Cisco UCM cluster, Cisco
UCM and TFTP Server on Different Servers,
page 48-46 for an example of this
configuration.
Step3 hostname(config-ca-trustpoint)# enrollment self Generates a self-signed certificate.
Step4 hostname(config-ca-trustpoint)# keypair keyname
Example:
keypair cucmtftp_kp
Specifies the keypair whose public key is being
certified.
Step5 hostname(config-ca-trustpoint)# exit Exits from the Configure Trustpoint mode.
Step6 hostname(config)# crypto ca enroll trustpoint
Example:
crypto ca enroll cucm_tftp_server
Requests the certificate from the CA server and
causes the ASA to generate the certificate.
When prompted to include the device serial number
in the subject name, type Y to include the serial
number or type N to exclude it.
When prompted to generate the self-signed
certificate, type Y.