[cisco-voip] CUMA and ASA as Proxy

Sun Oct 25 16:23:32 EDT 2009

Will the ASA be ok with any trusted ssl cert such as one from godaddy thats
30 bucks a year opposed to the cheapest gotrust one thats $250 a year?

On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <rratliff at cisco.com> wrote:

> For lab purposes you *should* be able to get it to work.  It's not TAC
> supported but that really doesn't matter for a demo.  I also believe
> Verisign has temp cert you can get for free (but it has an expiration date).
>
> Regarding the name, it needs to match whatever you populate in the external
> DNS, which should resolve to the ASA.
>
> "Obtain the IP address and fully qualified domain name for the Proxy Host"
> The proxy host is your ASA.
>
> -Ryan
>
>
> On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:
>
> I have a procedure on how to make the self signed certs work on my phone.
> That is the least of my problems or concerns. If it does not work that's
> fine but I have to try. We are only looking at a pilot of about two phones.
> If we do a customer deployment we will have them get a correct cert.
>
> In the below step do I create the cert using the name of my Cisco ASA or of
> the name of my CUMA server?
>
>
>
> http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/
> install/guide
> /cuma_70_IAG_02_ASA.html
>
> For New Installations) How to Obtain and Import the Cisco Adaptive Security
> Appliance-to-Client Certificate
> This procedure is required unless you are upgrading from Release 3.1.2 and
> reusing your signed certificate from your Proxy Server.
>
> This procedure has several subprocedures:
>
> .Generate a Certificate Signing Request
>
> .Submit the Certificate Signing Request to the Certificate Authority
>
> .Upload the Signed Certificate to the Cisco Adaptive Security Appliance
>
> Generate a Certificate Signing Request
> Before You Begin
>
> .Obtain the IP address and fully qualified domain name for the Proxy Host
> Name as specified in Obtaining IP Addresses and DNS Names from IT, page
> 1-3.
>
>
> .Determine required values for your company or organization name,
> organizational unit, country, and state or province. See the table in
> Creating Security Contexts, page 9-7. You must enter identical values in
> the
> Cisco Adaptive Security Appliance and in the relevant security context in
> Cisco Unified Mobility Advantage.
>
> Procedure
>
>
>
> ----------------------------------------------------------------------------
> ----
>
> Step 1 Enter configuration mode:
>
> conf t
>
> Step 2 Generate a key pair for this certificate:
>
> crypto key generate rsa label <keypair-cuma-signed> modulus 1024
>
> You will see a "Please wait..." message; look carefully for the prompt to
> reappear.
>
> Step 3 Create a trustpoint with the necessary information to generate the
> certificate request:
>
> crypto ca trustpoint <trustpoint-cuma-signed>
>
> subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
> server. Use the Fully Qualified Domain Name.>,OU=<organization unit
> name>,O=<company or organization name as publicly registered>,C=<2 letter
> country code>,St=<state>,L=<city>
>
> (For requirements for the Company, organization unit, Country, and State
> values, see the values you determined in the prerequisite for this
> procedure.)
>
> keypair <keypair-cuma-signed>
>
> fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This
> value must exactly match the value you entered for CN above.>
>
> enrollment terminal
>
> Step 4 Get the certificate signing request to send to the Certificate
> Authority:
>
> crypto ca enroll <trustpoint-cuma-signed>
>
> % Start certificate enrollment.
>
> % The subject name in the certificate will be:CN=<Proxy Host Name of the
> Cisco Unified Mobility Advantage server>,OU=<organization unit
> name>,O=<organization name>,C=<2 letter country code>,St=<state>,L=<city>
>
> % The fully-qualified domain name in the certificate will be: <Proxy Host
> Name of the Cisco Unified Mobility Advantage server>
>
> % Include the device serial number in the subject name? [yes/no]: no
>
> % Display Certificate Request to terminal? [yes/no]: yes
>
> Step 5 Copy the entire text of the displayed Certificate Signing Request
> and
> paste it into a text file.
>
> Include the following lines. Make sure that there are no extra spaces at
> the
> end.
>
> ----BEGIN CERTIFICATE----
>
> ----END CERTIFICATE----
>
> Step 6 Save the text file.
>
>
>
> ----------------------------------------------------------------------------
> ----
>
> What To Do Next
>
>
> -----Original Message-----
> From: Craig Staffin [mailto:cmstaffin at gmail.com]
> Sent: Wednesday, July 01, 2009 9:46 PM
> To: Voice Noob
> Cc: CiscosupportUpuck
> Subject: Re: [cisco-voip] CUMA and ASA as Proxy
>
> I am going through this battle right now
>
> As far as self signed certs the response from the BU was that they are
> completely not supported as mobile phones do not do certs "well".  In
> other words if you can manage to get the CA of your domain onto your
> phone it might work for a week or two but then it might fail.  The BU
> states that you need to use a verisign cert or GEOTrust.
>
> Let me know if you need more help.
> On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:
>
> Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
>> having a problem with the documentation on exactly how I setup the
>> ASA and the certificate requests. I don't know if the name I should
>> put into the requests is the CUMA server name or the hostname of my
>> ASA.
>>
>> Also has anyone done this using slef signed certs with an internal
>> CA? I don't think I can get this company to pay for a cert from
>> Verisign or Geotrust. In fact I know I can't.
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20091025/a4351cc2/attachment.html>