Cisco Systems and the ASA Services Module Manual De Usuario
17-10
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
What to Do Next
Once you have created the trustpoints and generated the certificates, create the internal CA to sign the
LDC for Cisco IP Phones. See
LDC for Cisco IP Phones. See
Creating an Internal CA
Create an internal local CA to sign the LDC for Cisco IP Phones.
This local CA is created as a regular self-signed trustpoint with proxy-ldc-issuer enabled. You can use
the embedded local CA LOCAL-CA-SERVER on the ASA to issue the LDC.
the embedded local CA LOCAL-CA-SERVER on the ASA to issue the LDC.
Step 5
ciscoasa(config-ca-trustpoint)# subject-name
X.500_name
Example:
ciscoasa(config-ca-trustpoint)# subject-name
cn=EJW-SV-1-Proxy
Includes the indicated subject DN in the certificate
during enrollment
during enrollment
Cisco IP Phones require certain fields from the
X.509v3 certificate to be present to validate the
certificate via consulting the CTL file.
Consequently, the subject-name entry must be
configured for a proxy certificate trustpoint. The
subject name must be composed of the ordered
concatenation of the CN, OU and O fields. The CN
field is mandatory; the others are optional.
X.509v3 certificate to be present to validate the
certificate via consulting the CTL file.
Consequently, the subject-name entry must be
configured for a proxy certificate trustpoint. The
subject name must be composed of the ordered
concatenation of the CN, OU and O fields. The CN
field is mandatory; the others are optional.
Note
Each of the concatenated fields (when
present) are separated by a semicolon,
yielding one of the following forms:
CN=xxx;OU=yyy;O=zzz
CN=xxx;OU=yyy
CN=xxx;O=zzz
CN=xxx
present) are separated by a semicolon,
yielding one of the following forms:
CN=xxx;OU=yyy;O=zzz
CN=xxx;OU=yyy
CN=xxx;O=zzz
CN=xxx
Step 6
hostname(config-ca-trustpoint)# keypair keyname
Example:
ciscoasa(config-ca-trustpoint)# keypair
ccm_proxy_key
Specifies the key pair whose public key is to be
certified.
certified.
Step 7
hostname(config-ca-trustpoint)# exit
Exits from the CA Trustpoint configuration mode.
Step 8
hostname(config)# crypto ca enroll trustpoint
Example:
ciscoasa(config)# crypto ca enroll ccm_proxy
Starts the enrollment process with the CA and
specifies the name of the trustpoint to enroll with.
specifies the name of the trustpoint to enroll with.
Command
Purpose
Command
Purpose
Step 1
ciscoasa(config)# crypto ca trustpoint
trustpoint_name
Example:
ciscoasa(config)# ! for the internal local LDC
issuer
ciscoasa(config)# crypto ca trustpoint ldc_server
Enters the trustpoint configuration mode for the
specified trustpoint so that you can create the
trustpoint for the LDC issurer.
specified trustpoint so that you can create the
trustpoint for the LDC issurer.
Step 2
ciscoasa(config-ca-trustpoint)# enrollment self
Generates a self-signed certificate.