Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

53-11

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter53 Configuring the TLS Proxy for Encrypted Voice Inspection

CTL Provider

Step2 To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option

when the client proxy certificate is being used between two servers; for example, when configuring the

TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS

client and TLS server are both servers.

a. Check the Specify the proxy certificate for the TLS Client... check box.

b. Select a certificate from the drop-down list.

To create a new client proxy certificate, click Manage. The Manage Identify Certificates dialog box

opens. See the “Configuring Identity Certificates Authentication” section on page44-16.

Note When you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode

for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate

authority to issue client or server dynamic certificates.

Step3 To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and

configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS

clients.

a. Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones...

check box.

b. Click the Certificates radio button and select a self-signed certificate from the drop-down list or

click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See

the “Configuring Identity Certificates Authentication” section on page44-16.

Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you

specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA

server, click Manage. The Edit CA Server Settings dialog box opens. See the “Authenticating Using

the Local CA” section on page44-23.

Note To make configuration changes after the local certificate authority has been configured for

the first time, disable the local certificate authority.

c. In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined

RSA key pair used by client dynamic certificates. To see the key pair details, including generation

time, usage, modulus size, and key data, click Show.

To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring

Identity Certificates Authentication” section on page 44-16 for details about the Key Pair fields.

Step4 In the Security Algorithms area, specify the available and active algorithms to be announced or matched

during the TLS handshake.

•Available Algorithms—Lists the available algorithms to be announced or matched during the TLS

handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.

Add—Adds the selected algorithm to the active list.

Remove—Removes the selected algorithm from the active list.

Cisco Systems - page 1215