Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
SIP Federation Security Certificate Configuration with Cisco Adaptive Security Appliance
Downloads: This chapterpdf (PDF - 1.48MB) The complete bookPDF (PDF - 5.1MB) | The complete bookePub (ePub - 1.28MB) | Feedback

SIP Federation Security Certificate Configuration with Cisco Adaptive Security Appliance

Contents

SIP Federation Security Certificate Configuration with Cisco Adaptive Security Appliance


Note


IM and Presence Service Release 9.0(1) or later supports interdomain federation with Microsoft Lync. Any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.


Security Certificate Exchange Between IM and Presence Service and Cisco Adaptive Security Appliance

Generate Key Pair and Trustpoints on the Cisco Adaptive Security Appliance

You need to generate the key pair for this certification (for example imp_proxy_key), and configure a trustpoint to identify the self-signed certificate from Cisco Adaptive Security Appliance to IM and Presence Service (for example imp_proxy). You need to specify the enrollment type as "self" to indicate you are generating a self-signed certificate on CiscoAdaptive Security Appliance, and specify the certificate subject name as the IP address of the inside interface.

Before You Begin

Ensure you carried out the configuration tasks described in the following chapters:

Procedure
    Step 1   On the Cisco Adaptive Security Appliance enter configuration mode:

    > Enable

    > <password>

    > configure terminal

    Step 2   Enter this command to generate the key pair for this certification:

    crypto key generate rsa label imp_proxy_key modulus 1024

    Step 3   Enter the following sequence of commands to create a trustpoint for IM and Presence Service:

    crypto ca trustpoint trustpoint_name (for example, imp_proxy)

    (config-ca-trustpoint)# enrollment self

    (config-ca-trustpoint)# fqdn none

    (config-ca-trustpoint)# subject-name cn=ASA_inside_interface_ip_address

    (config-ca-trustpoint)# keypair imp_proxy_key

    Troubleshooting Tip

    Enter the command show crypto key mypubkey rsa to check that the key pair is generated.


    What to Do Next

    Generate Self-Signed Certificate on the Cisco Adaptive Security Appliance

    Generate Self-Signed Certificate on the Cisco Adaptive Security Appliance

    Before You Begin
    Procedure
      Step 1   Enter this command to generate the self-signed certificate:

      (config-ca-trustpoint)# crypto ca enroll trustpoint_name (for example, imp_proxy)

      Step 2   Enter no when you are prompted to include the device serial number in the subject name.
      Step 3   Enter yes when you are prompted to generate the self-signed certificate.
      Step 4   Enter this command to prepare the certificate to export to the IM and Presence Service:

      crypto ca export imp_proxy identity-certificate

      The PEM encoded identity certificate displays on screen, for example:

      -----BEGIN CERTIFICATE-----MIIBnDCCAQWgAwIBAgIBMTANBgkqhkiG9w0BAQQFADAUMRIwEAYDVQQDEwlDVVAt…….. -----END CERTIFICATE-----

      Step 5   Copy and paste the entire contents of the Cisco Adaptive Security Appliance certificate into Wordpad or Notepad with a .pem extension.
      Step 6   Save the .pem file to your local machine.

      What to Do Next

      Import Self-Signed Certificate onto the IM and Presence Service

      Import Self-Signed Certificate onto the IM and Presence Service

      Procedure
        Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management.
        Step 2   Click Upload Certificate.
        Step 3   For the Certificate Purpose, choose cup-trust.
        Note   

        Leave the Root Name field blank.

        Step 4   Click Browse, and locate the Cisco Adaptive Security Appliance .pem certificate file (that you created in the previous procedure) on your local computer.
        Step 5   Click Upload File to upload the certificate to the IM and Presence Service node.

        Troubleshooting Tips

        Perform a find on the certificate list, <asa ip address>.pem and an <asa ip address>.der are in the certificate list.


        What to Do Next

        Generate a New Certificate on the IM and Presence Service

        Generate a New Certificate on the IM and Presence Service


        Note


        Cisco ASA firewall certificates must have the Server Authentication and Client Authentication attributes set for inside, outside. This can be verified by checking the certificate Enhanced Key Usage (EKU) parameter or for an Object Identifier (OID) value of:

        1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2


        Procedure
          Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management.
          Step 2   Click Generate New.
          Step 3   From the Certificate Purpose drop-down list, choose cup.
          Step 4   Click Generate.

          What to Do Next

          Import an IM and Presence Service Certificate into the Cisco Adaptive Security Appliance

          Import an IM and Presence Service Certificate into the Cisco Adaptive Security Appliance

          In order to import the IM and Presence Service certificate onto the Cisco Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported certificate from the IM and Presence Service (for example cert_from_imp), and specify the enrollment type as "terminal" to indicate that the certificate received from the IM and Presence Service will be pasted into the terminal.


          Note


          It is essential that the IM and Presence Service and the Cisco Unified Communications Manager nodes, and the Cisco Adaptive Security Appliance are synchronized off the same NTP source.


          Before You Begin
          Procedure
            Step 1   Enter configuration mode:

            > Enable

            > <password>

            > configure terminal

            Step 2   Enter this sequence of commands to create a trustpoint for the imported IM and Presence Service certificate:

            crypto ca trustpoint cert_from_imp enrollment terminal

            Step 3   Enter this command to import the certificate from IM and Presence Service:

            crypto ca authenticate cert_from_imp

            Step 4   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management on the IM and Presence Service.
            Step 5   Click Find.
            Step 6   Locate the IM and Presence Service certificate that you created in the previous procedure.
            Step 7   Click Download.
            Step 8   Open the imp.pem file using one of the recommended text editors.
            Step 9   Cut and paste the contents of the imp.pem into the Cisco Adaptive Security Appliance terminal.
            Step 10   Enter quit.
            Step 11   Enter yes when you are prompted to accept the certificate.
            Step 12   Run the command show crypto ca certificate to view the certificate.

            What to Do Next

            Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) with Microsoft CA

            Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) with Microsoft CA

            These procedures are an example, and demonstrate how to configure certificates using the Microsoft CA.


            Note


            An example of this procedure using the VeriSign CA is provided in the appendix of this guide.


            CA Trustpoints

            When generating a trustpoint, you must specify an enrollment method to be used with the trustpoint. You can use Simple Certificate Enrollment Process (SCEP) as the enrollment method (assuming you are using a Microsoft CA), where you use the enrollment url command to define the URL to be used for SCEP enrollment with the trustpoint you declared. The URL defined should be the URL of your CA.

            You can also use manual enrollment as the enrollment method, where you use the enrollment terminal command to paste the certificate received from the CA into the terminal. Both enrollment method procedures are described in this section. Refer to the Cisco Security Appliance Command Line Configuration Guide for further details about the enrollment method.

            In order to use SCEP, you need to download the Microsoft SCEP add-on from the following URL:

            http:/​/​www.microsoft.com/​Downloads/​details.aspx?familyid=9F306763-D036-41D8-8860-1636411B2D01&displaylang=en

            The SCEP add-on must be installed on the Microsoft CA that you are configuring the certificates on.

            Download the SCEP add-on as follows:

            • Download and run scepsetup.exe.

            • Select local system account.

            • Deselect SCEP challenge phrase to enroll.

            • Enter the details of the CA.

            When you click Finish, retrieve the SCEP URL. You use this URL during trustpoint enrollment on the Cisco Adaptive Security Appliance.

            Configure a Certificate on the Cisco Adaptive Security Appliance Using SCEP

            Procedure
              Step 1   Enter this command to generate a key pair for the CA:

              crypto key generate rsa label public_key_for_ca modulus 1024

              Step 2   Enter this command to generate a trustpoint to identify the CA.

              crypto ca trustpoint trustpoint_name

              Step 3   Use the client-types command to specify the client connection types for the trustpoint that can be used to validate the certificates associated with a user connection. Enter this command to specify a client-types ssl configuration which indicates that SSL client connections can be validated using this trustpoint:

              (config-ca-trustpoint)# client-types ssl

              Step 4   Enter this command to configure the FQDN of the public IM and Presence Service address:

              fqdn fqdn_public_imp_address

              Note   

              You may be issued a warning regarding VPN authentication here.

              Step 5   Enter this command to configure a keypair for the trustpoint:

              keypair public_key_for_ca

              Step 6   Enter this command to configure the enrollment method for the trustpoint:

              enrollment url http://ca_ip_address/certsrv/mscep/mscep.dll

              Step 7   Enter this command to obtain the CA certificate for the trustpoint you configured:

              crypto ca authenticate trustpoint_name

              INFO: Certificate has the following attributes: Fingerprint: cc966ba6 90dfe235 6fe632fc 2e521e48

              Step 8   Enter yes when you are prompted to accept the certificate from the CA.

              Do you accept this certificate? [yes/no]: yes

              Trustpoint CA certificate accepted.

              Step 9   Run the crypto ca enroll command.

              crypto ca enroll trustpoint_name

              The following warning output displays:

              %WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems.

              Step 10   Enter yes when you are prompted to continue with the enrollment.

              Would you like to continue with this enrollment? [yes/no]: yes

              % Start certificate enrollment..

              Step 11   Enter a password when you are prompted to create a challenge password.

              % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.

              Password: <password>

              ********** Re-enter password: **********

              Step 12   Enter no when you are prompted to include the device serial number in the subject name.
              Step 13   Enter yes when you are prompted to request the certificate from the CA.

              Request certificate from CA? [yes/no]: yes

              % Certificate request sent to Certificate Authority

              Step 14   Go to the CA and issue the pending certificate (if the certificate was not issued automatically).

              What to Do Next

              Certificate Configuration for the External Access Edge Interface

              Configure a Certificate on the Cisco Adaptive Security Appliance Using Manual Enrollment

              Enrolling a trustpoint by uploading a CA certificate:

              Procedure
                Step 1   Enter this command to generate a key pair for the CA:

                crypto key generate rsa label public_key_for_ca modulus 1024

                Step 2   Enter this sequence of commands to generate a trustpoint to identify the CA:

                crypto ca trustpoint trustpoint_name fqdn fqdn_public_imp_address client-types ssl keypair public_key_for_ca

                Note   
                • The FQDN value must be the FQDN of the public IM and Presence Service address.
                • The keypair value must be the keypair created for the CA.

                Step 3   Enter this command to configure the enrollment method for the trustpoint:

                enrollment terminal

                Step 4   Enter this command to authenticate the certificate:

                crypto ca authenticate trustpoint_name

                Step 5   Acquire the root certificate of the CA:
                1. Go to your CA webpage, for example, http(s)://ca_ip_address/certsrv.
                2. Click Download a CA certificate, certificate chain, or CRL.
                3. Choose Base 64.
                4. Download the CA certificate.
                5. Save the certificate as a .cer file, for example CARoot.cer.
                Step 6   Open the root certificate (.cer file) in a text editor.
                Step 7   Copy and paste the certificate contents into the Cisco Adaptive Security Appliance terminal.
                Step 8   Enter yes when you are prompted to accept the certificate.

                Generating a CSR for Cisco Adaptive Security Appliance Public Certificate.

                Step 9   Enter this command to send an enrollment request to the CA:

                crypto ca enroll trustpoint_name

                Step 10   Enter no when you are asked if you want to include the device serial number in the subject name.
                Step 11   Enter yes when you are asked to Display Certificate Request to terminal.
                Step 12   Copy and paste this base-64 certificate into a text editor (to use in a later step).
                Step 13   Enter no when you are asked to redisplay the enrollment request.
                Step 14   Paste the base-64 certificate (that you copied in Step 4) into the certificate request page of your CA:
                1. Go to your CA webpage, for example, http(s)://ca_ip_address/certsrv.
                2. Click Request a certificate.
                3. Click Advanced Certificate request.
                4. Click Submit a certificate request by using a base-64-encoded CMC orPKCS#10 file...
                5. Paste the base-64 certificate (that you copied in Step 4).
                6. Submit the request and issue the certificate from the CA.
                7. Download the certificate and save as a *.cer file.
                8. Open the certificate in a text editor, copy and paste the contents into the terminal. End with the word quit on a separate line.
                Step 15   Enter this command to import the certificate that you receive from the CA:

                crypto ca import trustpoint_name certificate

                Step 16   Enter yes when you are asked if you want to continue with the enrollment.

                What to Do Next

                Certificate Configuration for the External Access Edge Interface

                Certificate Configuration for the External Access Edge Interface

                This procedure describes how to configure the certificate on the Access Edge server with a standalone CA.

                Download CA Certification Chain

                Procedure
                  Step 1   On the Access Edge Server, choose Start > Run.
                  Step 2   Enter http://<name of your Issuing CA Server>/certsrv, and click OK.
                  Step 3   Click Download a CA certificate, certificate chain, or CRL from the Select a task menu.
                  Step 4   Click Download CA certificate chain from Download a CA Certificate, Certificate Chain, or CRL menu.
                  Step 5   Click Save in the File Download dialog box.
                  Step 6   Save the file on a hard disk drive on your server. This file has an extension of .p7b. If you open this .p7b file, the chain displays the following two certificates:
                  1. name of Standalone root CA certificate
                  2. name of Standalone subordinate CA certificate (if any)

                  What to Do Next

                  Install a CA Certification Chain

                  Install a CA Certification Chain

                  Before You Begin

                  Complete the steps inDownload CA Certification Chain

                  Procedure
                    Step 1   Choose Start > Run.
                    Step 2   Enter mmc, and click OK.
                    Step 3   From the File menu, choose Add/Remove Snap-in.
                    Step 4   Click Add in the Add/Remove Snap-in dialog box.
                    Step 5   In the list of Available Standalone Snap-ins, choose Certificates.
                    Step 6   Click Add.
                    Step 7   Choose Computer account.
                    Step 8   Click Next.
                    Step 9   In the Select Computer dialog box, perform the following tasks:
                    1. Ensure that <Local Computer> (the computer this console is running on) is selected.
                    2. Click Finish.
                    Step 10   Click Close.
                    Step 11   Click OK.
                    Step 12   In the left pane of the Certificates console, expand Certificates: Local Computer.
                    Step 13   Expand Trusted Root Certification Authorities.
                    Step 14   Right-click Certificates, and point to All Tasks.
                    Step 15   Click Import.
                    Step 16   In the Import wizard, click Next.
                    Step 17   Click Browse and go to where you saved the certificate chain.
                    Step 18   Choose the file, and click Open.
                    Step 19   Click Next.
                    Step 20   Leave the default value Place all certificates in the store and ensure that Trusted Root Certification Authorities appears under the Certificate store.
                    Step 21   Click Next.
                    Step 22   Click Finish.

                    What to Do Next

                    Request Certificate from CA Server

                    Request Certificate from CA Server

                    Before You Begin

                    Complete the steps in Install a CA Certification Chain

                    Procedure
                      Step 1   Log in to the Access Edge server and open a web browser.
                      Step 2   Open the following URL: http://certificate_authority_server_IP_address/certsrv
                      Step 3   Click Request a Certificate.
                      Step 4   Click Advanced Certificate Request.
                      Step 5   Click Create and submit a request to this CA.
                      Step 6   In the Type of Certificate Needed list, click Other.
                      Step 7   Enter the FQDN of the Access Edge external interface for the Subject Common Name,
                      Step 8   in the Object Identifier (OID) field, enter the following value:

                      1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

                      Note   

                      A comma separates the two 1s in the middle of the OID.

                      Step 9   Perform one of the following procedures:
                      1. If you are using Windows Certificate Authority 2003, in Key Options check the Store certificate in the local computer certificate store check box.
                      2. If you are using Windows Certificate Authority 2008, refer to the workaround described in this sections Troubleshooting Tips.
                      Step 10   Enter a friendly name.
                      Step 11   Click Submit.

                      What to Do Next

                      Download Certificate from CA Server

                      Download Certificate from CA Server

                      Before You Begin

                      Complete the steps in Request Certificate from CA Server

                      Procedure
                        Step 1   Launch the CA console by choosing Start > Administrative Tools > Certificate Authority.
                        Step 2   In the left pane, click on Pending Requests.
                        Step 3   In the right pane, right-click on the certificate request that you submitted.
                        Step 4   Choose All Tasks > Issue.
                        Step 5   Open http://local_server/certsrv on the Access Edge server that CA is running on.
                        Step 6   Click View the Status of a Pending Certificate Request then click your certificate request.
                        Step 7   Click Install this certificate.

                        What to Do Next

                        Upload a Certificate onto Access Edge

                        Upload a Certificate onto Access Edge

                        This procedure describes how to upload the certificate on the Access Edge server using the Certificate Wizard. You can also import the certificates manually on the Access Edge server by choosing Microsoft Office Communications Server 2007 > Properties > Edge Interfaces.

                        Before You Begin

                        Complete the steps in Download Certificate from CA Server

                        Procedure
                          Step 1   Choose Start > Administrative Tools > Computer Management on the Access Edge server.
                          Step 2   Iin the left pane, right-click on Microsoft Office Communications Server 2007.
                          Step 3   Click Certificates.
                          Step 4   Click Next.
                          Step 5   Click the Assign an existing certificate task option.
                          Step 6   Click Next.
                          Step 7   Choose the certificate that you wish to use for the External Access Edge Interface, and click Next.
                          Step 8   Click Next.
                          Step 9   Check the Edge Server Public Interface check box, and click Next.
                          Step 10   Click Next.
                          Step 11   Click Finish.

                          What to Do Next

                          TLS Proxy Configuration on the Cisco Adaptive Security Appliance

                          Create Custom Certificate for Access Edge Using Enterprise Certificate Authority

                          Refer to these instructions if you are using a Microsoft Enterprise CA to issue a client/server role certificate to the external interface of Access Edge or to the public interface of the Cisco Adaptive Security Appliance.

                          Before You Begin

                          These steps require that the Certificate Authority (CA) is an Enterprise CA and is installed on the Enterprise Edition of either Windows Server 2003 or 2008.

                          For additional details about these steps, refer to the Microsoft instructions: http:/​/​technet.microsoft.com/​en-us/​library/​bb694035.aspx

                          Create and Issue a Custom Certificate Template

                          Procedure
                            Step 1   Follow Steps 1- 6 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.

                            http:/​/​technet.microsoft.com/​en-us/​library/​bb694035.aspx#BKMK_​siteserver1

                            Tip   

                            For Step 5, use a more appropriate name for this specific template, such as Mutual Authentication Certificate.

                            Step 2   Follow these steps in place of Steps 7-12 from the Microsoft site:
                            1. Choose the Extensions tab. Make sure that under Application Policies that both Client Authentication and Server Authentication are present and that no other Policies are present. If these policies are not available, then you must add them before proceeding.
                              • In the Edit Application Policies Extension dialog box, click Add.

                              • In the Add Application Policy dialog box, choose Client Authentication, press Shift and choose Server Authentication, and then click Add.

                              • In the Edit Application Policies Extension dialog box, choose any other policy that may be present and then click Remove.

                              In the Properties of New Template dialog box, you should now see listed as the description of Application Policies: Client Authentication, Server Authentication.

                            2. Choose the Issuance Requirement tab. If you do not want the Certificate to be automatically issued, then choose CA certificate manager approval. Otherwise, leave this option blank.
                            3. Choose the Security tab and ensure that all required users and groups have both read and enroll permission.
                            4. Choose the Request Handling tab and click the CSP button.
                            5. On the CSP Selection dialog box choose Requests must use one of the following CSP’s.
                            6. From the list of CSP’s choose Microsoft Basic Cryptographic Provider v1.0 and Microsoft Enhanced Cryptographic Provider v1.0, and click OK.
                            Step 3   Continue with Steps 13-15 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.

                            http:/​/​technet.microsoft.com/​en-us/​library/​bb694035.aspx#BKMK_​siteserver1


                            What to Do Next

                            Request Site Server Signing Certificate

                            Request Site Server Signing Certificate

                            Procedure
                              Step 1   Follow Steps 1-6 from the Microsoft site: Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server.

                              http:/​/​technet.microsoft.com/​en-us/​library/​bb694035.aspx#BKMK_​siteserver2

                              Tip   

                              For Step 5, select the name of the certificate template you created previously, such as Mutual Authentication Certificate and enter the external FQDN of the access edge in the Name field.

                              Step 2   Follow these steps in place of Steps 7-8 from the Microsoft site:
                              1. If the certificate request is automatically issued then you are presented with an option to install the signed certificate. Select Install this Certificate.
                              2. If the certificate request is not automatically issued then you must wait for the administrator to issue the certificate. Once issued:
                                • On the member server, load Internet Explorer and connect to the Web enrollment service with the address http://<server>/certsrv where <server> is the name or IP address of the Enterprise CA.

                                • On the Welcome page, choose View the status of a pending certificate request.

                              3. Choose the issued certificate and click Install this Certificate.

                              Security Certificate Configuration on Lync Edge Server for TLS Federation

                              The following guide from Microsoft's TechNet Library (http:/​/​technet.microsoft.com/​en-us/​library/​gg398409.aspx) explains how to configure certificates on Access Edge for TLS federation with Microsoft Lync. The IM and Presence Service requires Mutual TLS authentication for federated connections, therefore you must configure Microsoft Lync certificates to support both Server and Client Authentication. When you follow the above guide, skip Section 2 and move instead to Section 3 which describes how to create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL. AOL has the same mutual TLS authentication requirement as the IM and Presence Service. You can also use this guide to configure Lync Server to federate directly with the IM and Presence Service over TLS.

                              For information about how to configure static routes on Lync server for direct federation, see Federated Link to Microsoft Lync Server Configuration Task Lists.

                              Security Certificate Exchange Between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway

                              AOL requires that the Cisco Adaptive Security Appliance certificate is signed by a trusted Certificate Authority (CA). AOL has an established trust list of CAs such as those commonly used in Windows or those in libraries distributed with the major browsers. If you wish to use a CA that is not on the AOL trust list, work with your Cisco representative to provide this information to AOL.

                              A sample configuration workflow that describes in detail how to configure certificate exchange between the Cisco Adaptive Security Appliance and an external domain (Microsoft Access Edge) using the Verisign CA is provided in the appendix of this guide. Use this procedure as a reference to configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA. A high-level overview of the configuration steps is provided below.

                              To configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA, complete these steps:


                              Note


                              The IM and Presence Service node certificate subject CN must match FQDN of the IM and Presence Service node. The public Certificate on the Cisco Adaptive Security Appliance for the IM and Presence Service and the CN must be the same as the Federation Routing IM and Presence FQDN service parameter value.


                              • Submit the CSR to the Verisign CA.

                              • Verisign CA provides you with the following certificates:

                                • Verisign signed certificate

                                • Verisign subordinate intermediate root certificate

                                • Verisign root CA certificate

                              • On the Cisco Adaptive Security Appliance, delete the temporary root certificate used to generate the Certificate Signing Request.

                              • Import the Verisign subordinate intermediate root certificate to the Cisco Adaptive Security Appliance.

                              • Create a trustpoint for the Verisign root CA certificate on the Cisco Adaptive Security Appliance.

                              • Import the Verisign root CA certificate to the Cisco Adaptive Security Appliance, and then import the Verisign signed certificate to the Cisco Adaptive Security Appliance.

                              • Provide the VeriSign root and intermediate certificates to AOL.


                              Note


                              You must provide AOL with the root CA if the CA is not already in the AOL trust list.