[cisco-voip] CUMA and ASA as Proxy
Ryan Ratliff
rratliff at cisco.com
Mon Oct 26 10:31:56 EDT 2009
The outside certificate the ASA presents to the mobile phones has to
be one of those specified in the documentation (GeoTrust and
Verisign). This is because the phones only come loaded with the root
certificates for those two CAs, and TAC does not support the loading
of 3rd party root certificates on your phones.
That said, if you want to load the GoDaddy root certificate on every
phone that's going to talk to your ASA/CUMA then go for it, just don't
call TAC if it isn't working (the certificate part anyway).
-Ryan
On Oct 25, 2009, at 4:23 PM, Dane Newman wrote:
Will the ASA be ok with any trusted ssl cert such as one from godaddy
thats 30 bucks a year opposed to the cheapest gotrust one thats $250 a
year?
On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
For lab purposes you *should* be able to get it to work. It's not TAC
supported but that really doesn't matter for a demo. I also believe
Verisign has temp cert you can get for free (but it has an expiration
date).
Regarding the name, it needs to match whatever you populate in the
external DNS, which should resolve to the ASA.
"Obtain the IP address and fully qualified domain name for the Proxy
Host"
The proxy host is your ASA.
-Ryan
On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:
I have a procedure on how to make the self signed certs work on my
phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two
phones.
If we do a customer deployment we will have them get a correct cert.
In the below step do I create the cert using the name of my Cisco ASA
or of
the name of my CUMA server?
http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/install/guide
/cuma_70_IAG_02_ASA.html
For New Installations) How to Obtain and Import the Cisco Adaptive
Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release 3.1.2
and
reusing your signed certificate from your Proxy Server.
This procedure has several subprocedures:
.Generate a Certificate Signing Request
.Submit the Certificate Signing Request to the Certificate Authority
.Upload the Signed Certificate to the Cisco Adaptive Security Appliance
Generate a Certificate Signing Request
Before You Begin
.Obtain the IP address and fully qualified domain name for the Proxy
Host
Name as specified in Obtaining IP Addresses and DNS Names from IT,
page 1-3.
.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values
in the
Cisco Adaptive Security Appliance and in the relevant security context
in
Cisco Unified Mobility Advantage.
Procedure
----------------------------------------------------------------------------
----
Step 1 Enter configuration mode:
conf t
Step 2 Generate a key pair for this certificate:
crypto key generate rsa label <keypair-cuma-signed> modulus 1024
You will see a "Please wait..." message; look carefully for the prompt
to
reappear.
Step 3 Create a trustpoint with the necessary information to generate
the
certificate request:
crypto ca trustpoint <trustpoint-cuma-signed>
subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
name>,O=<company or organization name as publicly registered>,C=<2
letter
country code>,St=<state>,L=<city>
(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)
keypair <keypair-cuma-signed>
fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server.
This
value must exactly match the value you entered for CN above.>
enrollment terminal
Step 4 Get the certificate signing request to send to the Certificate
Authority:
crypto ca enroll <trustpoint-cuma-signed>
% Start certificate enrollment.
% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit
name>,O=<organization name>,C=<2 letter country
code>,St=<state>,L=<city>
% The fully-qualified domain name in the certificate will be: <Proxy
Host
Name of the Cisco Unified Mobility Advantage server>
% Include the device serial number in the subject name? [yes/no]: no
% Display Certificate Request to terminal? [yes/no]: yes
Step 5 Copy the entire text of the displayed Certificate Signing
Request and
paste it into a text file.
Include the following lines. Make sure that there are no extra spaces
at the
end.
----BEGIN CERTIFICATE----
----END CERTIFICATE----
Step 6 Save the text file.
----------------------------------------------------------------------------
----
What To Do Next
-----Original Message-----
From: Craig Staffin [mailto:cmstaffin at gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy
I am going through this battle right now
As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well". In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail. The BU
states that you need to use a verisign cert or GEOTrust.
Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:
Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
having a problem with the documentation on exactly how I setup the
ASA and the certificate requests. I don't know if the name I should
put into the requests is the CUMA server name or the hostname of my
ASA.
Also has anyone done this using slef signed certs with an internal
CA? I don't think I can get this company to pay for a cert from
Verisign or Geotrust. In fact I know I can't.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20091026/2cab964e/attachment.html>
More information about the cisco-voip
mailing list