49-10
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter49 Configuring the TLS Proxy for Encrypted Voice Inspe ction
Configuring the TLS Proxy for Encrypted Voice Inspection
What to Do Next
Once you have created the trustpoints and generated the certificates, create the internal CA to sign the
LDC for Cisco IP Phones. See Creating an Internal CA, page 49-10.
Creating an Internal CA
Create an internal local CA to sign the LDC for Cisco IP Phones.
This local CA is created as a regular self-signed trustpoint with proxy-ldc-issuer enabled. You can use
the embedded local CA LOCAL-CA-SERVER on the ASA to issue the LDC.
Step5 hostname(config-ca-trustpoint)# subject-name
X.500_name
Example:
hostname(config-ca-trustpoint)# subject-name
cn=EJW-SV-1-Proxy
Includes the indicated subject DN in the certificate
during enrollment
Cisco IP Phones require certain fields from the
X.509v3 certificate to be present to validate the
certificate via consulting the CTL file.
Consequently, the subject-name entry must be
configured for a proxy certificate trustpoint. The
subject name must be composed of the ordered
concatenation of the CN, OU and O fields. The CN
field is mandatory; the others are optional.
Note Each of the concatenated fields (when
present) are separated by a semicolon,
yielding one of the following forms:
CN=xxx;OU=yyy;O=zzz
CN=xxx;OU=yyy
CN=xxx;O=zzz
CN=xxx
Step6 hostname(config-ca-trustpoint)# keypair keyname
Example:
hostname(config-ca-trustpoint)# keypair
ccm_proxy_key
Specifies the key pair whose public key is to be
certified.
Step7 hostname(config-ca-trustpoint)# exit Exits from the CA Trustpoint configuration mode.
Step8 hostname(config)# crypto ca enroll trustpoint
Example:
hostname(config)# crypto ca enroll ccm_proxy
Starts the enrollment process with the CA and
specifies the name of the trustpoint to enroll with.
Command Purpose
Command Purpose
Step1 hostname(config)# crypto ca trustpoint
trustpoint_name
Example:
hostname(config)# ! for the internal local LDC
issuer
hostname(config)# crypto ca trustpoint ldc_server
Enters the trustpoint configuration mode for the
specified trustpoint so that you can create the
trustpoint for the LDC issurer.
Step2 hostname(config-ca-trustpoint)# enrollment self Generates a self-signed certificate.