Cisco Unified Presence, Release 7.x -- How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge Using VeriSign
From DocWiki
Main page: Cisco Unified Presence, Release 7.x
Previous Topic
How to the Configure the Security Certificates on Cisco Adaptive Security Appliance
Deleting the Old Certificates and Trustpoints
This procedure describes how to delete the old intermediate and signed certificate, and the trustpoint for the root certificate on Cisco Adaptive Security Appliance.
Before You Begin
Ensure you carried out the configuration tasks described in the following chapters:
- Configuring Cisco Unified Presence for Federation
- Configuring Cisco Adaptive Security Appliance for this Integration
Procedure
1. Enter config mode, type:
- >Enable
- > password
- >config t
2. Enter this command to display the trustpoints:
- show crypto ca trustpoints
3. Enter this command to delete the trustpoint and associated certificates:
- no crypto ca trustpoint <name of trustpoint>
- The following warning output displays:
- WARNING: Removing an enrolled trustpoint will destroy all
- certificates received from the related Certificate Authority.
4. Enter yes when you are prompted to delete the trustpoint.
Related Topics
What To Do Next
Generating a New Trustpoint for VeriSign
Generating a New Trustpoint for VeriSign
Procedure
1. Enter config mode, type:
- >Enable
- > password
- >config t
2. Enter this command to generate the key pair for this certification:
- crypto key generate rsa label keys_for_verisign
3. Enter the following sequence of commands to create a trustpoint for Cisco Unified Presence:
- crypto ca trustpoint <name of trustpoint>
- (config-ca-trustpoint)# enrollment terminal
- (config-ca-trustpoint)# subject-name cn=<fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality>
- (config-ca-trustpoint)# keypair keys_for_verisign
- (config-ca-trustpoint)# fqdn none
- (config-ca-trustpoint)# exit
- Note: If you are submitting a renewa:l certificate signing request (CSR) file to VeriSign, the subject-name value must contain the following information:
- Country (two letter country code only)
- State (no abbreviations)
- Locality (no abbreviations)
- Organization Name
- Organizational Unit
- Common Name (FQDN) - This value must be the FQDN of the public Cisco Unified Presence.
Troubleshooting Tips
Enter the command show crypto key mypubkey rsa to check that the key pair is generated.
Related Topics
What To Do Next
Importing the Intermediate Certificate
OR
Importing the Root Certificate onto Cisco Adaptive Security Appliance
Importing the Root Certificate onto Cisco Adaptive Security Appliance
Before You Begin
Generate a new trustpoint for Verisign.
Procedure
1. Enter config mode, type:
- >Enable
- > password
- >config t
2. Enter this command to import the certificate onto Cisco Adaptive Security Appliance:
- crypto ca authenticate <name of trustpoint>
3. Enter the CA certificate, for example:
- -----BEGIN CERTIFICATE-----
- MIIDAzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIH...
- -----END CERTIFICATE-----
- quit
- Note: Finish with the word "quit" on a separate line.
4. Enter yes when you are prompted to accept the certificate.
Related Topics
What To Do Next
Generating the Certificate Signing Request
Generating the Certificate Signing Request
Before You Begin
Import the root certificate onto Cisco Adaptive Security Appliance.
Procedure
1. Enter config mode, type:
- >Enable
- >password
- >config t
2. Enter this command to send an enrollment request to the CA:
- crypto ca enroll <name of trustpoint>
- The following warning output displays:
- %WARNING: The certificate enrollment is configured with an fqdn
- >tt> that differs from the system fqdn. If this certificate will be </tt>
- used for VPN authentication this may cause connection problems.
3. Enter yes when you are prompted to continue with the enrollment.
- % Start certificate enrollment ..
- % The subject name in the certificate will be: <fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality>
4. Enter no when you are prompted to include the device serial number in the subject name.
5. Enter yes when you are prompted to display the certificate request in the terminal.
- The certificate request displays.
Related Topics
What To Do Next
Submitting the Certificate Signing Request to VeriSign
Submitting the Certificate Signing Request to VeriSign
When you submit the Certificate Signing Request, VeriSign will provide you with the following certificate files:
- verisign-signed-cert.cer (signed certificate)
- trial-inter-root.cer (subordinate intermediate root certificate)
- verisign-root-ca.cer (root CA certificate)
Save the certificate files in separate notepad files once you have downloaded them.
Before You Begin
- Complete the steps in Generating the Certificate Signing Request.
- You will need the challenge password that you defined when generating the Certificate Signing Request.
Procedure
- Go to the VeriSign website.
- Follow the procedure to enter a Certificate Signing Request.
- When prompted, submit the challenge password for the Certificate Signing Request.
- Paste the Certificate Signing Request into the window provided.
- Note: You need to paste from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive.
Related Topics
What To Do Next
Deleting the Certificate Used for the Certificate Signing Request
Deleting the Certificate Used for the Certificate Signing Request
You must delete the temporary root certificate used to generate the Certificate Signing Request.
Before You Begin
Submit the Certificate Signing Request to VeriSign.
Procedure
1. Enter config mode, type:
- >Enable
- >password
- >config t
2. Enter this command to display the certificates:
- show running-config crypto ca
- look for crypto ca certificate chain <name of trustpoint >
3. Enter this command to delete the certificate:
- (config)# crypto ca certificate chain <name of trustpoint>
- (config-cert-chain)# no certificate ca 00b92f60cc889fa17a4609b85b70$
- The following warning output displays:
- WARNING: The CA certificate will be disassociated from this trustpoint and
- will be removed if it is not associated with any other trustpoint. Any
- other certificates issued by this CA and associated with this trustpoint
- will also be removed.
4. Enter yes when you are prompted to delete the trustpoint.
Related Topics
What To Do Next
Importing the Intermediate Certificate
Importing the Intermediate Certificate
Before You Begin
Generate a new trustpoint for Verisign.
Procedure
1. Enter config mode, type:
- >Enable
- >password
- >config t
2. Enter this command to import the certificate onto Cisco Adaptive Security Appliance:
- crypto ca authenticate <name of trustpoint>
3. Enter the CA certificate, for example:
- -----BEGIN CERTIFICATE-----
- MIIEwDCCBCmgAwIBAgIQY7GlzcWfeIAdoGNs+XVGezANBgkqhkiG9w0BAQU....
- -----END CERTIFICATE-----
- quit
- Note: Finish with the word "quit" on a separate line.
4. Enter yes when you are prompted to accept the certificate.
Related Topics
What To Do Next
Creating a Trustpoint for the Root
Creating a Trustpoint for the Root Certificate
Before You Begin
Import the intermediate certificate.
Procedure
1. Enter config mode, type:
- >Enable
- > password
- >config t
2. Enter this command to generate the trustpoint:
- crypto ca trustpoint verisign_root
3. Enter the following sequence of commands:
- (config-ca-trustpoint)# revocation-check none
- (config-ca-trustpoint)# keypair keys_for_verisign
- (config-ca-trustpoint)# enrollment terminal
- (config-ca-trustpoint)# exit
Related Topics
What To Do Next
Importing the Root Certificate
Before You Begin
Create a trustpoint for the root certificate.
Procedure
1. Enter config mode, type:
- >Enable
- >password
- >config t
2. Enter this command to import the certificate onto Cisco Adaptive Security Appliance:
- crypto ca authenticate verisign_root
3. Enter the CA certificate, for example:
- -----BEGIN CERTIFICATE-----
- MIICmDCCAgECECCol67bggLewTagTia9h3MwDQYJKoZIhvcNAQECBQAw....
- -----END CERTIFICATE-----
- quit
- Note: Finish with the word "quit" on a separate line.
4. Enter yes when you are prompted to accept the certificate.
Related Topics
What To Do Next
Importing the Signed Certificate
Importing the Signed Certificate
Before You Begin
Import the root certificate.
Procedure
1. Enter config mode, type:
- >Enable
- >password
- >config t
2. Enter this command to import the certificate onto Cisco Adaptive Security Appliance:
- crypto ca import verisignca certificate
- The following warning output displays:
- WARNING: The certificate enrollment is configured with an fqdn
- that differs from the system fqdn. If this certificate will be
- used for VPN authentication this may cause connection problems.
3. Enter yes when you are prompted to continue with the certificate enrollment.
4. Enter the CA certificate, for example:
- -----BEGIN CERTIFICATE-----
- MIIFYTCCBEmgAwIBAgIQXtEPGWzZ0b9gejHejq+HazANBgkqhkiG9w0B....
- -----END CERTIFICATE-----
- quit
- Note: Finish with the word "quit" on a separate line.
5. Enter yes when you are prompted to accept the certificate.
Related Topics
What To Do Next
Importing the VeriSign Certificates onto Microsoft Access Edge
Importing the VeriSign Certificates onto Microsoft Access Edge
This procedure describes how to import the VeriSign root and intermediate certificates onto the Microsoft Access Edge server.
Before You Begin
Save the certificates that were provided by VeriSign to the Access Edge server, for example, in C:\.
Procedure
- On the Access Edge server, enter mmc from the run command.
- Select File-> Add/Remove Snap-in.
- Click Add.
- Click Certificates.
- Click Add.
- Select Computer account.
- Click Next.
- Select Local computer.
- Click Finish.
- Click OK to close the Add/Remove Snap-In window.
- In the main console, expand the Certificates tree.
- Open the Trusted Root Certificates branch.
- Right-click on Certificates.
- Select All Tasks > Import.
- Click Next on the certificate wizard.
- Browse for a VeriSign certificate in the C:\ directory.
- Click Place all certificates in the following store.
- Select Trusted Root Certification Authorities as the certificate store.
- Repeat steps 13 to 18 to import the additional VeriSign certificates.
