Security Certificate Exchange Between IM and Presence Service and Cisco Adaptive Security Appliance
This section explains the Security Certificate Exchange Between IM and Presence Service and Cisco Adaptive Security Appliance.
Generate Key Pair and Trustpoints on the Cisco Adaptive Security Appliance
You need to generate the key pair for this certification (for example imp_proxy_key), and configure a trustpoint to identify the self-signed certificate from Cisco Adaptive Security Appliance to IM and Presence Service (for example imp_proxy). You need to specify the enrollment type as "self" to indicate you are generating a self-signed certificate on Cisco Adaptive Security Appliance, and specify the certificate subject name as the IP address of the inside interface.
Before you begin
Ensure you carried out the configuration tasks described in the following chapters:
Procedure
Step 1 |
On the Cisco Adaptive Security Appliance enter configuration mode:
|
Step 2 |
Enter this command to generate the key pair for this certification:
|
Step 3 |
Enter the following sequence of commands to create a trustpoint for IM and Presence Service:
Troubleshooting Tip Enter the command |
What to do next
Generate Self-Signed Certificate on the Cisco Adaptive Security Appliance
Generate Self-Signed Certificate on the Cisco Adaptive Security Appliance
Before you begin
-
Complete the steps in Generate Key Pair and Trustpoints on the Cisco Adaptive Security Appliance.
-
You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.
Procedure
Step 1 |
Enter this command to generate the self-signed certificate:
|
Step 2 |
Enter |
Step 3 |
Enter |
Step 4 |
Enter this command to prepare the certificate to export to the IM and Presence Service:
The PEM encoded identity certificate displays on screen, for example:
|
Step 5 |
Copy and paste the entire contents of the Cisco Adaptive Security Appliance certificate into Wordpad or Notepad with a .pem extension. |
Step 6 |
Save the .pem file to your local machine. |
What to do next
Import Self-Signed Certificate onto the IM and Presence Service
Import Self-Signed Certificate onto the IM and Presence Service
Before you begin
Complete the steps in Generate Self-Signed Certificate on the Cisco Adaptive Security Appliance
Procedure
Step 1 |
Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose . |
||
Step 2 |
Click Upload Certificate. |
||
Step 3 |
For the Certificate Purpose, choose cup-trust.
|
||
Step 4 |
Click Browse, and locate the Cisco Adaptive Security Appliance .pem certificate file (that you created in the previous procedure) on your local computer. |
||
Step 5 |
Click Upload File to upload the certificate to the IM and Presence Service node. Troubleshooting Tips Perform a find on the certificate list, <asa ip address>.pem and an <asa ip address>.der are in the certificate list. |
What to do next
Generate a New Certificate on the IM and Presence Service
Note |
Cisco ASA firewall certificates must have the Server Authentication and Client Authentication attributes set for inside, outside. This can be verified by checking the certificate Enhanced Key Usage (EKU) parameter or for an Object Identifier (OID) value of: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 |
Before you begin
Complete the steps in Import Self-Signed Certificate onto the IM and Presence Service
Procedure
Step 1 |
Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose . |
Step 2 |
Click Generate New. |
Step 3 |
From the Certificate Purpose drop-down list, choose cup. |
Step 4 |
Click Generate. |
What to do next
Import an IM and Presence Service Certificate into the Cisco Adaptive Security Appliance
Import an IM and Presence Service Certificate into the Cisco Adaptive Security Appliance
In order to import the IM and Presence Service certificate onto the Cisco Adaptive Security Appliance you need to create a trustpoint to identify the imported certificate from the IM and Presence Service (for example cert_from_imp), and specify the enrollment type as "terminal" to indicate that the certificate received from the IM and Presence Service will be pasted into the terminal.
Note |
It is essential that the IM and Presence Service and the Cisco Unified Communications Manager nodes, and the Cisco Adaptive Security Appliance are synchronized off the same NTP source. |
Before you begin
-
Complete the steps in Generate a New Certificate on the IM and Presence Service.
-
You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.
Procedure
Step 1 |
Enter configuration mode:
|
Step 2 |
Enter this sequence of commands to create a trustpoint for the imported IM and Presence Service certificate:
|
Step 3 |
Enter this command to import the certificate from IM and Presence Service:
|
Step 4 |
Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose on the IM and Presence Service. |
Step 5 |
Click Find. |
Step 6 |
Locate the IM and Presence Service certificate that you created in the previous procedure. |
Step 7 |
Click Download. |
Step 8 |
Open the imp.pem file using one of the recommended text editors. |
Step 9 |
Cut and paste the contents of the imp.pem into the Cisco Adaptive Security Appliance terminal. |
Step 10 |
Enter
|
Step 11 |
Enter
|
Step 12 |
Run the command What to do next: |