49-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter49 Configuring the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_1/nci/p08/secuauth.htm
Note You will need the CTL Client that is released with Cisco Unified CallManager Release 5.1 to
interoperate with the security appliance. See the “CTL Client Overview” section on page 49-3
for more information regarding TLS proxy support.
Creating Trustpoints and Generating Certificates
The Cisco UCM proxy certificate could be self-signed or issued by a third-party CA. The certificate is
exported to the CTL client.
Prerequisites
Import the required certificates, which are stored on the Cisco UCM. See the “Certificates from the Cisco
UCM” section on page 48-7 and the “Importing Certificates from the Cisco UCM” section on
page 48-15.
Command Purpose
Step1 hostname(config)# crypto key generate rsa label
key-pair-label modulus size
Examples:
hostname(config)# crypto key generate rsa label
ccm_proxy_key modulus 1024
hostname(config)# crypto key generate rsa label
ldc_signer_key modulus 1024
hostname(config)# crypto key generate rsa label
phone_common modulus 1024
Creates the RSA keypair that can be used for the
trustpoints.
The keypair is used by the self-signed certificate
presented to the local domain containing the Cisco
UP (proxy for the remote entity).
Note We recommend that you create a different
key pair for each role.
Step2 hostname(config)# crypto ca trustpoint
trustpoint_name
Example:
hostname(config)# ! for self-signed CCM proxy
certificate
hostname(config)# crypto ca trustpoint ccm_proxy
Enters the trustpoint configuration mode for the
specified trustpoint so that you can create the
trustpoint for the Cisco UMA server.
A trustpoint represents a CA identity and possibly a
device identity, based on a certificate issued by the
CA.
Step3 hostname(config-ca-trustpoint)# enrollment self Generates a self-signed certificate.
Step4 hostname(config-ca-trustpoint)# fqdn none Specifies not to include a fully qualified domain
name (FQDN) in the Subject Alternative Name
extension of the certificate during enrollment.