Cisco ASA 5505 Configuration Manual page 944

Configuring the UC-IME by using the Unified Communication Wizard
Configuring the Remote-Side Certificates for the Cisco Intercompany Media
Engine Proxy
Establishing a trust relationship cross enterprises or across administrative domains is key. Cross
enterprises you must use a trusted third-party CA (such as, VeriSign). The adaptive security appliance
obtains a certificate with the FQDN of the Cisco Unified Communications Manager server (certificate
impersonation).
For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to
trusted third-party certificate authorities. Both entities enroll with the CAs. The adaptive security
appliance as the TLS proxy must be trusted by both entities. The adaptive security appliance is always
associated with one of the enterprises. Within that enterprise, the entity and the adaptive security
appliance could authenticate each other via a local CA, or by using self-signed certificates.
To establish a trusted relationship between the adaptive security appliance and the remote entity, the
adaptive security appliance can enroll with the CA on behalf of the local enterprise. In the enrollment
request, the local Cisco UCM identity (domain name) is used.
To establish the trust relationship, the adaptive security appliance enrolls with the third party CA by
using the Cisco Unified Communications Manager server FQDN as if the security appliance is the Cisco
UCM.
If the adaptive security appliance already has a signed identity certificate, you can skip
Note
procedure and proceed directly to
In the ASA's Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears.
Step 1
For information about specifying additional parameters for the certificate signing request (CSR), see
Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy, page
Information dialog boxes appear indicating that the wizard is delivering the settings to the adaptive
security appliance and retrieving the certificate key pair information. The Identity Certificate Request
dialog box appears.
For information about saving the CSR that was generated and submitting it to a CA, see
Identity Certificate Request, page
In the ASA's Identity Certificate area, click Install ASA's Identity Certificate.
Step 2
Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers,
page
Step 3 In the Remote Server's CA's Certificate area, click Install Remote Server's CA's Certificate. Installing
the root certificates of the CA for the remote servers is necessary so that the adaptive security appliance
can determine that the remote servers are trusted.
The Install Certificate dialog box appears. Install the certificate. See
Note
Click Next.
Step 4
Cisco ASA 5500 Series Configuration Guide using ASDM
42-16
42-21.
You must install the root certificates only when the root certificates for the remote servers are
received from a CA other than the one that provided the identity certificate for the adaptive
security appliance
Chapter 42
Step 3.
42-19.
Using the Cisco Unified Communication Wizard
Step 1
Saving the
Installing the ASA
Installing a Certificate, page
in this
42-18.
42-18.
OL-20339-01