Cisco Unified Presence, Release 7.x -- How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance
From DocWiki
Main page: Cisco Unified Presence, Release 7.x
Contents
|
Previous Topic
Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance
You need to generate the key pair for this certification (for example cup_proxy_key), and configure a trustpoint to identify the self-signed certificate from Cisco Adaptive Security Appliance to Cisco Unified Presence (for example cup_proxy). You need to specify the enrollment type as "self" to indicate you are generating a self-signed certificate on Cisco Adaptive Security Appliance, and specify the certificate subject name as the IP address of the inside interface.
Before You Begin
Ensure you carried out the configuration tasks described in the following chapters:
- Configuring Cisco Unified Presence for Federation
- Configuring Cisco Adaptive Security Appliance for this Integration
Procedure
1. Enter config mode, type:
- >Enable
- >password
- >config t
2. Enter this command to generate the key pair for this certification:
- crypto key generate rsa label cup_proxy_key modulus 1024
3. Enter the following sequence of commands to create a trustpoint for Cisco Unified Presence:
- crypto ca trustpoint <name of trustpoint e.g.cup_proxy>
- (config-ca-trustpoint)# enrollment self
- (config-ca-trustpoint)# fqdn none
- (config-ca-trustpoint)# subject-name cn=<ASA inside interface ip address>
- (config-ca-trustpoint)# keypair cup_proxy_key
Related Topics
Troubleshooting Tip
Enter the command show crypto key mypubkey rsa to check that the key pair is generated.
What To Do Next
Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance
Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance
Before You Begin
- Complete the steps in Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance.
- You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.
Procedure
1. Enter this command to generate the self-signed certificate:
- (config-ca-trustpoint)# crypto ca enroll <name of trustpoint e.g.cup_proxy>
2. Enter no when you are prompted to include the device serial number in the subject name.
3. Enter yes when you are prompted to generate the self-signed certificate.
4. Enter this command to prepare the certificate to export to Cisco Unified Presence:
- crypto ca export cup_proxy identity-certificate
- The PEM encoded identity certificate displays on screen, for example:
- -----BEGIN CERTIFICATE-----
- MIIBnDCCAQWgAwIBAgIBMTANBgkqhkiG9w0BAQQFADAUMRIwEAYDVQQDEwlDVVAt........
- -----END CERTIFICATE-----
5. Cut and paste the entire contents of the Cisco Adaptive Security Appliance certificate into Workpad or Notepad with a .pem extension.
6. Save the .pem file to your local machine.
Related Topics
What To Do Next
Importing the Self Signed Certificate onto Cisco Unified Presence
Importing the Self Signed Certificate onto Cisco Unified Presence
Before You Begin
Generate a self-signed certificate on the Cisco Adaptive Security Appliance.
Procedure
- Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence.
- Click Upload Certificate.
- Select sipproxy-trust for Certificate Name.
- Note: Leave the Root Name field blank.
- Click Browse, and locate the Cisco Adaptive Security Appliance .pem certificate file (that you created in the previous procedure) on your local computer.
- Click Upload File to upload the certificate to the Cisco Unified Presence server.
Troubleshooting Tips
Perform a find on the certificate list, you will see an <asa ip address>.pem and an <asa ip address>.der in the certificate list.
Related Topics
What To Do Next
Generating a New Certificate on Cisco Unified Presence
Generating a New Certificate on Cisco Unified Presence
Before You Begin
Import the self-signed certificate onto Cisco Unified Presence.
Procedure
- Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence.
- Click Generate New.
- Select sipproxy for the certificate name.
Related Topics
What To Do Next
Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance
Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance
In order to import the Cisco Unified Presence certificate onto Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported certificate from Cisco Unified Presence (e.g. cert_from_cup), and specify the enrollment type as "terminal" to indicate that you will paste the certificate received from Cisco Unified Presence into the terminal.
Before You Begin
- Generate a new certificate on Cisco Unified Presence.
- You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.
Procedure
1. Enter config mode, type:
- >Enable
- >password
- >config t
2. Enter this sequence of commands to create a trustpoint for the imported Cisco Unified Presence certificate:
- crypto ca trustpoint cert_from_cup
- enrollment terminal
3. Enter this command to import the certificate from Cisco Unified Presence:
- crypto ca authenticate cert_from_cup
4. Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence.
5. Click Find.
6. Locate the sipproxy certificate that you created in the previous procedure.
7. Click Download.
8. Open the sipproxy.pem file using one of the recommended text editors.
9. Cut and paste the contents of the sipproxy.pem into the Cisco Adaptive Security Appliance prompt window.
10. Enter quit.
11. Enter y when you are prompted to accept the certificate.
Troubleshooting Tips
Run the command show crypto ca certificate to view the certificate.
Related Topics
