beautypg.com

Cisco ASA 5505 User Manual

Page 998

background image

48-16

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 48 Configuring the Cisco Phone Proxy

Configuring the Phone Proxy

Step 3

Click Find and it will display all the certificates.

Step 4

Find the filename

Cisco_Manufacturing_CA

. This is the certificate need to verify the IP phone

certificate. Click the .PEM file

Cisco_Manufacturing_CA.pem

. This will show you the certificate

information and a dialog box that has the option to download the certificate.

Note

If the certificate list contains more than one certificate with the filename

Cisco_Manufacturing_CA

, make you select the certificate

Cisco_Manufacturing_CA.pem

—the

one with the .pem file extension.

Step 5

Click Download and save the file as a text file.

Step 6

On the ASA, create a trustpoint for the Cisco Manufacturing CA and enroll via terminal by entering the
following commands. Enroll via terminal because you will paste the certificate you downloaded in

Step 4

.

hostname(config)# crypto ca trustpoint trustpoint_name

hostname(config-ca-trustpoint)# enrollment terminal

Step 7

Authenticate the trustpoint by entering the following command:

hostname(config)# crypto ca authenticate trustpoint

Step 8

You are prompted to “Enter the base 64 encoded CA Certificate.” Copy the .PEM file you downloaded
in

Step 4

and paste it at the command line. The file is already in base-64 encoding so no conversion is

required. If the certificate is OK, you are prompted to accept it: “Do you accept this certificate?
[yes/no].” Enter yes.

Note

When you copy the certificate, make sure that you also copy also the lines with BEGIN and
END.

Tip

If the certificate is not ok, use the debug crypto ca command to show debug messages for PKI
activity (used with CAs).

Step 9

Repeat the

Step 1

through

Step 8

for the next certificate.

Table 48-2

shows the certificates that are

required by the ASA.

Table 48-2

Certificates Required by the Security Appliance for the Phone Proxy

Certificate Name

Required for...

CallManager

Authenticating the Cisco UCM during TLS handshake; only
required for mixed-mode clusters.

Cisco_Manufacturing_CA

Authenticating IP phones with a Manufacturer Installed Certificate

(MIC).

CAP-RTP-001

Authenticating IP phones with a MIC.

CAP-RTP-002

Authenticating IP phones with a MIC.

CAPF

Authenticating IP phones with an LSC.

This manual is related to the following products:
See also other documents in the category Cisco Hardware: