Cisco Systems ASA 5585-X Manual De Usuario

Once you have created the TLS proxy instance, create the phone proxy instance. See 

. 

For mixed mode clusters, there might be IP phones that are already configured as encrypted so it requires 
TLS to the Cisco UCM. You must configure the LDC issuer for the TLS proxy. 

hostname(config)# tls-proxy proxy_name

tls-proxy mytls

Creates the TLS proxy instance.

hostname(config-tlsp)# server trust-point 
_internal_PP_ctl-instance_filename

server trust-point _internal_PP_myctl

Configures the server trustpoint and references the 
internal trustpoint named 
_internal_PP_ctl-instance_filename.

hostname(config)# crypto key generate rsa label 

key-pair-label modulus size

hostname(config)# crypto key generate rsa label 

ldc_signer_key modulus 1024

hostname(config)# crypto key generate rsa label 

phone_common modulus 1024

Creates the necessary RSA key pairs.

Where the 

 is the LDC signer key 

and the key for the IP phones. 

hostname(config)# crypto ca trustpoint 

hostname(config)# crypto ca trustpoint ldc_server

Creates an internal local CA to sign the LDC for 
Cisco IP phones.

Where the trustpoint_name is for the LDC.

hostname(config-ca-trustpoint)# enrollment self 

Generates a self-signed certificate. 

hostname(config-ca-trustpoint)# proxy-ldc-issuer 

Defines the local CA role for the trustpoint to issue 
dynamic certificates for the TLS proxy.

hostname(config-ca-trustpoint)# fqdn fqdn

hostname(config-ca-trustpoint)# fqdn 

my-ldc-ca.example.com

Includes the indicated FQDN in the Subject 
Alternative Name extension of the certificate during 
enrollment.

Where the fqdn is for the LDC.