Cisco Systems and the ASA Services Module Manual De Usuario

Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates or you 
can set it up on an internal CA. 

Establishing a trust relationship cross enterprises or across administrative domains is key for federation. 
Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a 
certificate with the FQDN of the Cisco UP (certificate impersonation). 

For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to 
trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy 
must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that 
enterprise (Enterprise X in 

), the entity and the ASA could authenticate each other via a local 

CA, or by using self-signed certificates. 

To establish a trusted relationship between the ASA and the remote entity (Entity Y), the ASA can enroll 
with the CA on behalf of Entity X (Cisco UP). In the enrollment request, the Entity X identity (domain 
name) is used. 

 shows the way to establish the trust relationship. The ASA enrolls with the third party CA 

by using the Cisco UP FQDN as if the ASA is the Cisco UP. 

271639

Internet

Access

Proxy

LCS/OCS

Director

Inspected and

Modified

(if needed) 

Certificate

Authority

Certificate

Certificate with

Private Key

ASA

Cisco

 

UP 

Enroll with FQDN

of Cisco

 

UP 

Microsoft Presence Server

Key 1

Key 2

TLS (Self-signed,
or from local CA) 

TLS (Cisco UP Certificate)

3rd Party CA