SIP Federation Security Certificate Configuration with Cisco Adaptive Security Appliance
and Presence Service Release 9.0(1) or later supports interdomain
federation with Microsoft Lync. Any reference to interdomain federation with
OCS also includes Microsoft Lync, unless explicitly stated otherwise.
Generate Key Pair and Trustpoints on the Cisco Adaptive Security Appliance
You need to generate the key pair for this certification (for
imp_proxy_key), and configure a trustpoint to identify the
self-signed certificate from
Cisco Adaptive Security Appliance to
IM and Presence Service (for example
imp_proxy). You need to specify the enrollment type as
"self" to indicate you are generating a self-signed certificate on
CiscoAdaptive Security Appliance, and specify the certificate subject name as the IP address
of the inside interface.
Before You Begin
Ensure you carried out the configuration tasks described in
the following chapters:
Generate a New Certificate on the IM and Presence Service
Cisco ASA firewall certificates must have the Server Authentication and Client Authentication attributes set for inside, outside. This can be verified by checking the certificate Enhanced Key Usage (EKU) parameter or for an Object Identifier (OID) value of:
Import an IM and Presence Service Certificate into the Cisco Adaptive Security Appliance
In order to import the
IM and Presence Service certificate onto
the Cisco Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported
the IM and Presence Service (for example
cert_from_imp), and specify the enrollment type as
"terminal" to indicate that the certificate
the IM and Presence Service will be pasted into the terminal.
It is essential that
the IM and Presence Service and the Cisco Unified Communications Manager nodes, and
the Cisco Adaptive Security Appliance are synchronized off the same NTP source.
When generating a trustpoint, you must specify an enrollment method to be used with the trustpoint. You can use Simple Certificate Enrollment Process (SCEP) as the enrollment method (assuming you are using a Microsoft CA), where you use the enrollment url command to define the URL to be used for SCEP enrollment with the trustpoint you declared. The URL defined should be the URL of your CA.
You can also use manual enrollment as the enrollment method, where you use the enrollment terminal command to paste the certificate received from the CA into the terminal. Both enrollment method procedures are described in this section. Refer to the Cisco Security Appliance Command Line Configuration Guide for further details about the enrollment method.
In order to use SCEP, you need to download the Microsoft SCEP add-on from the following URL:
Enter this command to generate a trustpoint to identify the CA.
crypto ca trustpointtrustpoint_name
Use the client-types command to specify the client connection types for the trustpoint that can be used to validate the certificates associated with a user connection. Enter this command to specify a client-types ssl configuration which indicates that SSL client connections can be validated using this trustpoint:
(config-ca-trustpoint)# client-types ssl
Enter this command to configure the FQDN of the public IM and Presence Service address:
You may be issued a warning regarding VPN authentication here.
Enter this command to configure a keypair for the trustpoint:
Enter this command to configure the enrollment method for the trustpoint:
Enter this command to obtain the CA certificate for the trustpoint you configured:
crypto ca authenticatetrustpoint_name
INFO: Certificate has the following attributes:
Fingerprint: cc966ba6 90dfe235 6fe632fc 2e521e48
Enter yes when you are prompted to accept the certificate from the CA.
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Run the crypto ca enroll command.
crypto ca enrolltrustpoint_name
The following warning output displays:
%WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Enter yes when you are prompted to continue with the enrollment.
Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment..
Enter a password when you are prompted to create a challenge password.
% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Re-enter password: **********
Enter no when you are prompted to include the device serial number in the subject name.
Enter yes when you are prompted to request the certificate from the CA.
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
Go to the CA and issue the pending certificate (if the certificate was not issued automatically).
This procedure describes how to upload the certificate on
the Access Edge server using the Certificate Wizard. You can also import the
certificates manually on the Access Edge server by choosing
Microsoft Office Communications Server
2007 > Properties > Edge
Create Custom Certificate for Access Edge Using Enterprise Certificate Authority
Refer to these instructions if you are using a Microsoft Enterprise CA to issue a client/server role certificate to the external interface of Access Edge or to the public interface of the Cisco Adaptive Security Appliance.
Before You Begin
These steps require that the Certificate Authority (CA) is an Enterprise CA and is installed on the Enterprise Edition of either Windows Server 2003 or 2008.
For Step 5, use a more appropriate name for this specific
template, such as Mutual Authentication Certificate.
Follow these steps in place of Steps 7-12 from the Microsoft site:
Extensions tab. Make sure that under
Client Authentication and
Server Authentication are present and that
no other Policies are present. If these policies are not available, then you
must add them before proceeding.
Edit Application Policies Extension
dialog box, click
Add Application Policy
dialog box, choose
Client Authentication, press Shift
Server Authentication, and then
In the Edit Application Policies
Extension dialog box, choose any other policy that may be present
and then click
Properties of New Template dialog box,
you should now see listed as the description of Application Policies: Client
Authentication, Server Authentication.
Issuance Requirement tab. If you do not
want the Certificate to be automatically issued, then choose
CA certificate manager approval.
Otherwise, leave this option blank.
Security tab and ensure that all required
users and groups have both read and enroll permission.
Request Handling tab and click the
CSP Selection dialog box choose
Requests must use one of the following
From the list of CSP’s choose
Microsoft Basic Cryptographic Provider v1.0 and
Microsoft Enhanced Cryptographic Provider v1.0, and click
Continue with Steps 13-15 from the Microsoft site: Creating and
Issuing the Site Server Signing Certificate Template on the Certification
For Step 5, select the name of the certificate template you
created previously, such as Mutual Authentication Certificate and enter the
external FQDN of the access edge in the
Follow these steps in place of Steps 7-8 from the Microsoft site:
If the certificate request is automatically issued then you
are presented with an option to install the signed certificate. Select
Install this Certificate.
If the certificate request is not automatically issued then
you must wait for the administrator to issue the certificate. Once
On the member server, load Internet Explorer and connect
to the Web enrollment service with the address
http://<server>/certsrv where <server> is the name or IP
address of the Enterprise CA.
On the Welcome page, choose
View the status of a pending certificate
Choose the issued certificate and click
Install this Certificate.
Security Certificate Configuration on Lync Edge Server for TLS Federation
The following guide from Microsoft's TechNet Library (http://technet.microsoft.com/en-us/library/gg398409.aspx) explains how to configure certificates on Access Edge for TLS federation with Microsoft Lync. The IM and Presence Service requires Mutual TLS authentication for federated connections, therefore you must configure Microsoft Lync certificates to support both Server and Client Authentication. When you follow the above guide, skip Section 2 and move instead to Section 3 which describes how to create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL. AOL has the same mutual TLS authentication requirement as the IM and Presence Service. You can also use this guide to configure Lync Server to federate directly with the IM and Presence Service over TLS.
Security Certificate Exchange Between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway
AOL requires that the Cisco Adaptive Security Appliance certificate is signed by a trusted Certificate Authority (CA). AOL has an established trust list of CAs such as those commonly used in Windows or those in libraries distributed with the major browsers. If you wish to use a CA that is not on the AOL trust list, work with your Cisco representative to provide this information to AOL.
A sample configuration workflow that describes in detail how to configure certificate exchange between the Cisco Adaptive Security Appliance and an external domain (Microsoft Access Edge) using the Verisign CA is provided in the appendix of this guide. Use this procedure as a reference to configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA. A high-level overview of the configuration steps is provided below.
To configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA, complete these steps:
Upload AOL Root and Intermediate certificates to ASA:
The IM and Presence Service node certificate subject CN must match FQDN of the IM and Presence Service node. The public Certificate on the Cisco Adaptive Security Appliance for the IM and Presence Service and the CN must be the same as the Federation Routing IM and Presence FQDN service parameter value.
Submit the CSR to the Verisign CA.
Verisign CA provides you with the following certificates: