Cisco ASA 5505 Configuration Manual page 983

Chapter 44 Configuring the TLS Proxy for Encrypted Voice Inspection
When you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode
Note
for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate
authority to issue client or server dynamic certificates.
To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and
Step 3
configure the LDC Issuer option, the adaptive security appliance acts as the certificate authority and
issues certificates to TLS clients.
Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones...
a.
check box.
Click the Certificates radio button and select a self-signed certificate from the drop-down list or
b.
click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See
the
Or
Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you
specify a CA server, it needs to be created and enabled in the adaptive security appliance. To create
and enable the CA server, click Manage. The Edit CA Server Settings dialog box opens. See the
"Authenticating Using the Local CA" section on page
Note
In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined
c.
RSA key pair used by client dynamic certificates. To see the key pair details, including generation
time, usage, modulus size, and key data, click Show.
Or
To create a new key pair, click New. The Add Key Pair dialog box opens. See the
Identity Certificates Authentication" section on page 35-14
In the Security Algorithms area, specify the available and active algorithms to be announced or matched
Step 4
during the TLS handshake.
Available Algorithms—Lists the available algorithms to be announced or matched during the TLS
•
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Add—Adds the selected algorithm to the active list.
Remove—Removes the selected algorithm from the active list.
Active Algorithms—Lists the active algorithms to be announced or matched during the TLS
•
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting
as a TLS client to the server), the user-defined algorithms replace the original ones from the hello
message for asymmetric encryption method between the two TLS legs. For example, the leg between
the proxy and Call Manager may be NULL cipher to offload the Call Manager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.
Click Next.
Step 5
OL-20339-01
"Configuring Identity Certificates Authentication" section on page
To make configuration changes after the local certificate authority has been configured for
the first time, disable the local certificate authority.
35-22.
for details about the Key Pair fields.
Cisco ASA 5500 Series Configuration Guide using ASDM
CTL Provider
35-14.
"Configuring
44-11