[cisco-voip] Cisco Unified Mobility Advantage ssl requirements

Jason Burns burns.jason at gmail.com
Mon Oct 26 17:45:03 EDT 2009 

Dane,

Regarding your first question:

Traffic does not have to flow through the asa just to it and then it will
proxy the info correct?  Meaning I don't have to put the asa facing my
internet connection it can just be a host with a private address.

You provision the phone to connect to the DNS Domain Name of the ASA
Interface. The DNS Domain Name must resolve to the IP of the outside ASA
interface. The certificate must be for this DNS name. If your phones have
wireless connections (besides cellular) you could provision an internal IP
and DNS domain name for the ASA's outside interface. If your phones must use
the cell provider's data connection then you must have a public (Internet)
facing ASA interface as well as a fully resolving domain name and matching
certificate for that name.

Regarding the second question:

Can I use a self signed certificate with the iphone client for test?  Do I
have to purchase a trusted root one?  If so it referances verisign or
geotrust.  Would a cheaper vendor like godaddy for 30 bucks a year work?

The reason Cisco supports only Geotrust and Verisign is that the ASA needs
to present a certificate that your cell phone can trust. We can only
guarantee that at a minimum the Geotrust and Verisign root certs will come
preloaded on your phone.

If you can get the root cert for GoDaddy uploaded to your cell phone then
there is nothing to stop you from using that on your ASA. Cisco will not
support the process of loading root certificates into different cell phones
though, so you'd be on your own for figuring out if that is possible for
your model of phone.

Hope this helps.

Jason


On Sun, Oct 25, 2009 at 10:32 AM, Dane Newman <dane.newman at gmail.com> wrote:

> Hello
>
> I want to test unified monility advantage in a lab and I was curious about
> the certificate requirements.  I am able to run my asa on vmware esxi and
> hang it off my dmz.  Traffic does not have to flow through the asa just to
> it and then it will proxy the info correct?  Meaning I don't have to put the
> asa facing my internet connection it can just be a host with a private
> address.
>
>
> Also
>
> I see one of the requirements is below.  Can I use a self signed
> certificate with the iphone client for test?  Do I have to purchase a
> trusted root one?  If so it referances verisign or geotrust.  Would a
> cheaper vendor like godaddy for 30 bucks a year work?
>
>   Certificate Requirements
>
> The Cisco Adaptive Security Appliance requires a signed certificate from
> VeriSign or GeoTrust. These certificates are supported because they are
> generally available on all mobile devices.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20091026/b758293f/attachment.html>

More information about the cisco-voip mailing list