Will the ASA be ok with any trusted ssl cert such as one from godaddy thats 30 bucks a year opposed to the cheapest gotrust one thats $250 a year?<br><br>
<div class="gmail_quote">On Thu, Jul 2, 2009 at 9:40 AM, Ryan Ratliff <span dir="ltr"><<a href="mailto:rratliff@cisco.com">rratliff@cisco.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">For lab purposes you *should* be able to get it to work. It's not TAC supported but that really doesn't matter for a demo. I also believe Verisign has temp cert you can get for free (but it has an expiration date).<br>
<br>Regarding the name, it needs to match whatever you populate in the external DNS, which should resolve to the ASA.
<div class="im"><br>"Obtain the IP address and fully qualified domain name for the Proxy Host"<br></div>The proxy host is your ASA.<br><font color="#888888"><br>-Ryan</font>
<div>
<div></div>
<div class="h5"><br><br>On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:<br><br>I have a procedure on how to make the self signed certs work on my phone.<br>That is the least of my problems or concerns. If it does not work that's<br>
fine but I have to try. We are only looking at a pilot of about two phones.<br>If we do a customer deployment we will have them get a correct cert.<br><br>In the below step do I create the cert using the name of my Cisco ASA or of<br>
the name of my CUMA server?<br><br><br><br><a href="http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/" target="_blank">http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/</a>install/guide<br>/cuma_70_IAG_02_ASA.html<br>
<br>For New Installations) How to Obtain and Import the Cisco Adaptive Security<br>Appliance-to-Client Certificate<br>This procedure is required unless you are upgrading from Release 3.1.2 and<br>reusing your signed certificate from your Proxy Server.<br>
<br>This procedure has several subprocedures:<br><br>.Generate a Certificate Signing Request<br><br>.Submit the Certificate Signing Request to the Certificate Authority<br><br>.Upload the Signed Certificate to the Cisco Adaptive Security Appliance<br>
<br>Generate a Certificate Signing Request<br>Before You Begin<br><br>.Obtain the IP address and fully qualified domain name for the Proxy Host<br>Name as specified in Obtaining IP Addresses and DNS Names from IT, page 1-3.<br>
<br><br>.Determine required values for your company or organization name,<br>organizational unit, country, and state or province. See the table in<br>Creating Security Contexts, page 9-7. You must enter identical values in the<br>
Cisco Adaptive Security Appliance and in the relevant security context in<br>Cisco Unified Mobility Advantage.<br><br>Procedure<br><br><br>----------------------------------------------------------------------------<br>----<br>
<br>Step 1 Enter configuration mode:<br><br>conf t<br><br>Step 2 Generate a key pair for this certificate:<br><br>crypto key generate rsa label <keypair-cuma-signed> modulus 1024<br><br>You will see a "Please wait..." message; look carefully for the prompt to<br>
reappear.<br><br>Step 3 Create a trustpoint with the necessary information to generate the<br>certificate request:<br><br>crypto ca trustpoint <trustpoint-cuma-signed><br><br>subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage<br>
server. Use the Fully Qualified Domain Name.>,OU=<organization unit<br>name>,O=<company or organization name as publicly registered>,C=<2 letter<br>country code>,St=<state>,L=<city><br><br>
(For requirements for the Company, organization unit, Country, and State<br>values, see the values you determined in the prerequisite for this<br>procedure.)<br><br>keypair <keypair-cuma-signed><br><br>fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This<br>
value must exactly match the value you entered for CN above.><br><br>enrollment terminal<br><br>Step 4 Get the certificate signing request to send to the Certificate<br>Authority:<br><br>crypto ca enroll <trustpoint-cuma-signed><br>
<br>% Start certificate enrollment.<br><br>% The subject name in the certificate will be:CN=<Proxy Host Name of the<br>Cisco Unified Mobility Advantage server>,OU=<organization unit<br>name>,O=<organization name>,C=<2 letter country code>,St=<state>,L=<city><br>
<br>% The fully-qualified domain name in the certificate will be: <Proxy Host<br>Name of the Cisco Unified Mobility Advantage server><br><br>% Include the device serial number in the subject name? [yes/no]: no<br><br>
% Display Certificate Request to terminal? [yes/no]: yes<br><br>Step 5 Copy the entire text of the displayed Certificate Signing Request and<br>paste it into a text file.<br><br>Include the following lines. Make sure that there are no extra spaces at the<br>
end.<br><br>----BEGIN CERTIFICATE----<br><br>----END CERTIFICATE----<br><br>Step 6 Save the text file.<br><br><br>----------------------------------------------------------------------------<br>----<br><br>What To Do Next<br>
<br><br>-----Original Message-----<br>From: Craig Staffin [mailto:<a href="mailto:cmstaffin@gmail.com" target="_blank">cmstaffin@gmail.com</a>]<br>Sent: Wednesday, July 01, 2009 9:46 PM<br>To: Voice Noob<br>Cc: CiscosupportUpuck<br>
Subject: Re: [cisco-voip] CUMA and ASA as Proxy<br><br>I am going through this battle right now<br><br>As far as self signed certs the response from the BU was that they are<br>completely not supported as mobile phones do not do certs "well". In<br>
other words if you can manage to get the CA of your domain onto your<br>phone it might work for a week or two but then it might fail. The BU<br>states that you need to use a verisign cert or GEOTrust.<br><br>Let me know if you need more help.<br>
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:<br><br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am<br>having a problem with the documentation on exactly how I setup the<br>
ASA and the certificate requests. I don't know if the name I should<br>put into the requests is the CUMA server name or the hostname of my<br>ASA.<br><br>Also has anyone done this using slef signed certs with an internal<br>
CA? I don't think I can get this company to pay for a cert from<br>Verisign or Geotrust. In fact I know I can't.<br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></blockquote><br>_______________________________________________<br>cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div></div></blockquote></div><br>