Cisco Systems and the ASA Services Module Manual De Usuario

Follow these tasks to configure the phone proxy in a Non-secure Cisco UCM Cluster:

Create trustpoints and generate certificates for each entity in the network (Cisco UCM, Cisco UCM and 
TFTP, TFTP server, CAPF) that the IP phone must trust. The certificates are used in creating the CTL 
file. See 

. 

Before you create the trustpoints and generate certificates, you must have imported the required 
certificates, which are stored on the Cisco UCM. See 

 and 

Create the CTL file for the phone proxy. See 

. 

Create the TLS proxy instance. See 

Create the media termination instance for the phone proxy. See 

Create the phone proxy instance. See 

. 

Enable the phone proxy y with SIP and Skinny inspection. See 

.

For the TLS proxy used by the phone proxy to complete the TLS handshake successfully, it needs to 
verify the certificates from the IP phone (and the Cisco UCM if doing TLS with Cisco UCM). To validate 
the IP phone certificate, we need the CA Manufacturer certificate which is stored on the Cisco UCM. 
Follow these steps to import the CA Manufacturer certificate to the ASA.

Go to the Cisco UCM Operating System Administration web page.

Choose Security > Certificate Management.

Earlier versions of Cisco UCM have a different UI and way to locate the certificates. For 
example, in Cisco UCM version 4.x, certificates are located in the directory 

C:\Program 

Files\Cisco\Certificates

. See your Cisco Unified Communications Manager (CallManager) 

documentation for information about locating certificates.