Cisco ASA 5505 Configuration Manual page 965

Chapter 43 Configuring the Cisco Phone Proxy
Use the Create a Certificate Trust List (CTL) File pane to create a CTL file for the Phone Proxy. This
pane creates the CTL file that is presented to the IP phones during the TFTP handshake with the adaptive
security appliance. For a detailed overview of the CTL file used by the Phone Proxy, see the
the CTL File" section on page
The Create a Certificate Trust List (CTL) File pane is used to configure the attributes for generating the
CTL file. The name of the CTL file instance is generated by the ASDM. When the user tries to edit the
CTL file instance configuration, the ASDM automatically generates the shutdown CLI command first
and the no shutdown CLI command as the last command.
This pane is available from the Configuration > Firewall > Unified Communications > CTL File pane.
Open the Configuration > Firewall > Unified Communications > CTL File pane.
Step 1
Check the Enable Certificate Trust List File check box to enable the feature.
Step 2
To specify the CTL file to use for the Phone Proxy, perform one of the following:
Step 3
•
•
Specify the number SAST certificate tokens required. The default is 2. maximum allowed is 5.
Step 4
Because the Phone Proxy generates the CTL file, it needs to create the System Administrator Security
Token (SAST) key to sign the CTL file itself. This key can be generated on the adaptive security
appliance. A SAST is created as a self-signed certificate. Typically, a CTL file contains more than one
SAST. In case a SAST is not recoverable, the other one can be used to sign the file later.
Click Apply to save the CTL file configuration settings.
Step 5
Adding or Editing a Record Entry in a CTL File
This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Note
Use the Add/Edit Record Entry dialog box to specify the trustpoints to be used for the creation of the
CTL file.
Add additional record-entry configurations for each entity that is required in the CTL file.
Step 1 Open the Configuration > Firewall > Unified Communications > CTL File pane.
Step 2 Check the Enable Certificate Trust List File check box to enable the feature.
OL-20339-01
If there is an existing CTL file available, download the CTL file to Flash memory by using the File
Management Tool in the ASDM Tools menu. Select the Use certificates present in the CTL stored
in flash radio button and specify the CTL file name and path in the text box.
Use an existing CTL file to install the trustpoints for each entity in the network (CUCM, CUCM and
TFTP, TFTP server, CAPF) that the IP phones must trust. If you have an existing CTL file that
contains the correct IP addresses of the entities (namely, the IP address that the IP phones use for
the CUCM or TFTP servers), you can be use it to create a new CTL file. Store a copy of the existing
CTL file to Flash memory and rename it something other than
If there is no existing CTL file available, select Create new CTL file radio button.
Add Record entries for each entity in the network such as CUCM, TFTP, and CUCM-TFTP option
by clicking Add. The Add Record Entry dialog box opens. See
a CTL File, page 43-15.
43-14.
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring the Phone Proxy
CTLFile.tlv
Adding or Editing a Record Entry in
"Creating
43-15