Integration Guide for Configuring Cisco Unified Presence Release 8.6 for Interdomain Federation
Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)
Downloads: This chapterpdf (PDF - 326.0KB) The complete bookPDF (PDF - 3.95MB) | Feedback

Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)

Table Of Contents

Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance

Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance

Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance

Importing the Self Signed Certificate onto Cisco Unified Presence

Generating a New Certificate on Cisco Unified Presence

Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance

How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA

CA Trustpoints

Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment

Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment

How to Configure the Certificate for External Access Edge Interface

Downloading the CA Certification Chain

Installing the CA Certification Chain

Requesting a Certificate from the CA Server

Downloading the Certificate from the CA Server

Uploading the Certificate onto Access Edge

Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority

Creating and Issuing a Custom Certificate Template

Requesting the Site Server Signing Certificate

Configuring Security Certificates on Lync Edge Server for TLS Federation

Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway


Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)


June 18, 2013

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance

How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA

Configuring Security Certificates on Lync Edge Server for TLS Federation

Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway


Note Only Cisco Unified Presence Release 8.5(2) or later supports interdomain federation with Microsoft Lync. For Cisco Unified Presence Release 8.5(2) or later, any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.


How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance

Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance

Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance

Importing the Self Signed Certificate onto Cisco Unified Presence

Generating a New Certificate on Cisco Unified Presence

Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance

Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance

You need to generate the key pair for this certification (for example cup_proxy_key), and configure a trustpoint to identify the self-signed certificate from Cisco Adaptive Security Appliance to Cisco Unified Presence (for example cup_proxy). You need to specify the enrollment type as "self" to indicate you are generating a self-signed certificate on Cisco Adaptive Security Appliance, and specify the certificate subject name as the IP address of the inside interface.

Before You Begin

Ensure you carried out the configuration tasks described in the following chapters:

Configuring Cisco Unified Presence for SIP Federation

Configuring Cisco Adaptive Security Appliance for SIP Federation

Procedure


Step 1 On the Cisco Adaptive Security Appliance, enter the following commands:

>Enable 
>password
>config t
 
   

Step 2 Enter this command to generate the key pair for this certification:

crypto key generate rsa label cup_proxy_key modulus 1024

Note In Cisco Unified Presence Release 8.6(4) and above, the key bit length specified in the command above should be 2048, not 1024.


 
   

Step 3 Enter the following sequence of commands to create a trustpoint for Cisco Unified Presence:

crypto ca trustpoint <name of trustpoint e.g.cup_proxy>
(config-ca-trustpoint)# enrollment self
(config-ca-trustpoint)# fqdn none
(config-ca-trustpoint)# subject-name cn=<ASA inside interface ip address>
(config-ca-trustpoint)# keypair cup_proxy_key
 
   

Troubleshooting Tip

Enter the command show crypto key mypubkey rsa to check that the key pair is generated.

What To Do Next

Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance

Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance

Before You Begin

Complete the steps in Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance.

You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.

Procedure


Step 1 Enter this command to generate the self-signed certificate:

(config-ca-trustpoint)# crypto ca enroll <name of trustpoint e.g.cup_proxy>
 
   

Step 2 Enter no when you are prompted to include the device serial number in the subject name .

Step 3 Enter yes when you are prompted to generate the self-signed certificate.

Step 4 Enter this command to prepare the certificate to export to Cisco Unified Presence:

crypto ca export cup_proxy identity-certificate
 
   

The PEM encoded identity certificate displays on screen, for example:

-----BEGIN CERTIFICATE-----
MIIBnDCCAQWgAwIBAgIBMTANBgkqhkiG9w0BAQQFADAUMRIwEAYDVQQDEwlDVVAt........
-----END CERTIFICATE-----
 
   

Step 5 Copy and paste the entire contents of the Cisco Adaptive Security Appliance certificate into Wordpad or Notepad with a .pem extension.

Step 6 Save the .pem file to your local machine.


What To Do Next

Importing the Self Signed Certificate onto Cisco Unified Presence

Importing the Self Signed Certificate onto Cisco Unified Presence

Before You Begin

Complete the steps in Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance

Procedure


Step 1 Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence.

Step 2 Click Upload Certificate.

Step 3 Select cup-trust for Certificate Name.


Note Leave the Root Name field blank.


Step 4 Click Browse, and locate the Cisco Adaptive Security Appliance .pem certificate file (that you created in the previous procedure) on your local computer.

Step 5 Click Upload File to upload the certificate to the Cisco Unified Presence server.


Troubleshooting Tips

Perform a find on the certificate list, you will see an <asa ip address>.pem and an <asa ip address>.der in the certificate list.

What To Do Next

Generating a New Certificate on Cisco Unified Presence

Generating a New Certificate on Cisco Unified Presence

Before You Begin

Complete the steps in Importing the Self Signed Certificate onto Cisco Unified Presence

Procedure


Step 1 Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence.

Step 2 Click Generate New.

Step 3 Select cup for the certificate name.


What To Do Next

Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance

Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance

In order to import the Cisco Unified Presence certificate onto Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported certificate from Cisco Unified Presence (e.g. cert_from_cup), and specify the enrollment type as "terminal" to indicate that you will paste the certificate received from Cisco Unified Presence into the terminal.


Note It is essential that Cisco Unified Presence, Cisco Unified Communications Manager and Cisco Adaptive Security Appliance servers are all syncing off the same NTP source.


Before You Begin

Complete the steps in Generating a New Certificate on Cisco Unified Presence.

You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.

Procedure


Step 1 Enter config mode, type:

>Enable 
>password
>config t
 
   

Step 2 Enter this sequence of commands to create a trustpoint for the imported Cisco Unified Presence certificate:

crypto ca trustpoint cert_from_cup
enrollment terminal
 
   

Step 3 Enter this command to import the certificate from Cisco Unified Presence:

crypto ca authenticate cert_from_cup
 
   

Step 4 Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence.

Step 5 Click Find.

Step 6 Locate the cup certificate that you created in the previous procedure.

Step 7 Click Download.

Step 8 Open the cup.pem file using one of the recommended text editors.

Step 9 Cut and paste the contents of the cup.pem into the Cisco Adaptive Security Appliance prompt window.

Step 10 Enter quit.

Step 11 Enter y when you are prompted to accept the certificate.


Troubleshooting Tips

Run the command show crypto ca certificate to view the certificate.

What To Do Next

How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA

How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA

These procedures are an example, and demonstrate how to configure certificates using the Microsoft CA.


Note An example of this procedure using the VeriSign CA is provided in the appendix of this guide.


CA Trustpoints

Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment

Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment

How to Configure the Certificate for External Access Edge Interface

Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority

CA Trustpoints

When generating a trustpoint, you must specify an enrollment method to be used with the trustpoint. You can use Simple Certificate Enrollment Process (SCEP) as the enrollment method (assuming you are using a Microsoft CA), where you use the enrollment url command to define the URL to be used for SCEP enrollment with the trustpoint you declared. The URL defined should be the URL of your CA.

You can also use manual enrollment as the enrollment method, where you use the enrollment terminal command to indicate that you will paste the certificate received from the CA into the terminal. Both enrollment method procedures are described in this section. Refer to the Cisco Security Appliance Command Line Configuration Guide for further details about the enrollment method.

In order to use SCEP, you need to download the Microsoft SCEP add-on from the following URL:

http://www.microsoft.com/Downloads/details.aspx?familyid=9F306763-D036-41D8-8860-1636411B2D01&displaylang=en

The SCEP add-on must be installed on the Microsoft CA that you are configuring the certificates on.

Download the SCEP add-on as follows:

Download and run scepsetup.exe.

Select local system account.

Deselect SCEP challenge phrase to enroll.

Enter the details of the CA.

When you click Finish, retrieve the SCEP URL. You will use this URL during trustpoint enrollment on Cisco Adaptive Security Appliance.

Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment

Procedure


Step 1 Enter this command to generate a key pair for the CA:

crypto key generate rsa label public_key_for_ca  modulus 1024

Note In Cisco Unified Presence Release 8.6(4) and above, the key bit length specified in the command above should be 2048, not 1024.


 
   

Step 2 Enter this command to generate a trustpoint to identify the CA.

crypto ca trustpoint <trustpoint_name>
 
   

Step 3 Use the "client-types" sub-command to specify the client connection types for the trustpoint that can be used to validate the certificates associated with a user connection. Enter this command to specify a "client-types ssl" configuration which indicates that SSL client connections can be validated using this trustpoint:

(config-ca-trustpoint)# client-types ssl
 
   

Step 4 Enter this command to configure the FQDN of the public Cisco Unified Presence address:

fqdn <fqdn_public_cup_address>

Note You may be issued a warning regarding VPN authentication here.


Step 5 Enter this command to configure a keypair for the trustpoint:

keypair public_key_for_ca
 
   

Step 6 Enter this command to configure the enrollment method for the trustpoint:

enrollment url http://<ip address of CA>/certsrv/mscep/mscep.dll
 
   

Step 7 Enter this command to obtain the CA certificate for the trustpoint you configured:

crypto ca authenticate <trustpoint_name>
INFO: Certificate has the following attributes:
Fingerprint:     cc966ba6 90dfe235 6fe632fc 2e521e48
 
   

Step 8 Enter yes when you are prompted to accept the certificate from the CA.

Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
 
   

Step 9 Run the crypto ca enroll command.

crypto ca enroll <trustpoint_name>
 
   

The following warning output displays:

%WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
 
   

Step 10 Enter yes when you are prompted to continue with the enrollment.

Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment..
 
   

Step 11 Enter a password when you are prompted to create a challenge password.

% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: **********
Re-enter password: **********
 
   

Step 12 Enter no when you are prompted to include the device serial number in the subject name.

 
   

Step 13 Enter yes when you are prompted to request the certificate from the CA.

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
 
   

Step 14 Go to the CA and issue the pending certificate (if the certificate was not issued automatically).

 
   

What To Do Next

How to Configure the Certificate for External Access Edge Interface

Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment

Enrolling a trustpoint by uploading a CA certificate:


Step 1 Enter this command to generate a key pair for the CA:

crypto key generate rsa label public_key_for_ca  modulus 1024

Note In Cisco Unified Presence Release 8.6(4) and above, the key bit length specified in the command above should be 2048, not 1024.


 
   

Step 2 Enter this sequence of commands to generate a trustpoint to identify the CA:

crypto ca trustpoint <name of trustpoint>
fqdn <fqdn_public_cup_address>
client-types ssl
keypair public_key_for_ca

NoteThe FQDN value must be the FQDN of the public Cisco Unified Presence address.

The keypair value must be the keypair created for the CA.


Step 3 Enter this command to configure the enrollment method for the trustpoint:

enrollment terminal
 
   

Step 4 Enter this command to authenticate the certificate:

crypto ca authenticate <trustpoint_name>
 
   

Step 5 Acquire the root certificate of the CA:

a. Go to your CA webpage, for example, http(s)://<CA_IP_Addr>/certsrv.

b. Select Download a CA certificate, certificate chain, or CRL.

c. Select Base 64.

d. Download the CA certificate.

e. Save the certificate as a .cer file, for example CARoot.cer.

Step 6 Open the root certificate (.cer file) in a text editor.

Step 7 Copy and paste this certificate into the Cisco Adaptive Security Appliance terminal.

Step 8 Enter yes when you are prompted to accept the certificate.


Generating a CSR for Cisco Adaptive Security Appliance Public Certificate


Step 1 Enter this command to send an enrollment request to the CA:

crypto ca enroll <trustpoint_name>
 
   

Step 2 Enter no when you are asked if you want to include the device serial number in the subject name.

Step 3 Enter yes when you are asked to Display Certificate Request to terminal.

Step 4 Copy and paste this base-64 certificate into a text editor (to use in a later step).

Step 5 Enter no when you are asked to redisplay the enrollment request.

Step 6 Paste the base-64 certificate (that you copied in step 4) into the certificate request page of your CA:

a. Go to your CA webpage, for example, http(s)://<CA_IP_Addr>/certsrv.

b. Select Request a certificate.

c. Select Advanced Certificate request.

d. Select Submit a certificate request by using a base-64-encoded CMC orPKCS#10 file...

e. Paste the base-64 certificate (that you copied in step 4).

f. Submit the request and issue the certificate from the CA.

g. Download the certificate and save as a *.cer file.

h. Open the certificate in a text editor and paste the contents into the terminal. End with the word 'quit' on a separate line.

Step 7 Enter this command to import the certificate that you receive from the CA:

crypto ca <trustpoint_name> import certificate
 
   

Step 8 Enter yes when you are asked if you want to continue with the enrollment.

 
   

What To Do Next

How to Configure the Certificate for External Access Edge Interface

How to Configure the Certificate for External Access Edge Interface

This procedure describes how to configure the certificate on the Access Edge server with a standalone CA.

Downloading the CA Certification Chain

Installing the CA Certification Chain

Requesting a Certificate from the CA Server

Downloading the Certificate from the CA Server

Uploading the Certificate onto Access Edge

Downloading the CA Certification Chain

Procedure


Step 1 On the Access Edge Server, click Start > Run.

Step 2 Enter http://<name of your Issuing CA Server>/certsrv, and click OK.

Step 3 Click Download a CA certificate, certificate chain, or CRL from the Select a task menu.

Step 4 Click Download CA certificate chain from Download a CA Certificate, Certificate Chain, or CRL menu.

Step 5 Click Save in the File Download dialog box.

Step 6 Save the file on a hard disk drive on your server. This file has an extension of .p7b. If you open this .p7b file, the chain displays the following two certificates:

name of Standalone root CA certificate

name of Standalone subordinate CA certificate (if any)


What To Do Next

Installing the CA Certification Chain

Installing the CA Certification Chain

Before You Begin

Complete the steps inDownloading the CA Certification Chain

Procedure


Step 1 Click Start > Run.

Step 2 Enter mmc, and click OK.

Step 3 Select Add/Remove Snap-in from the File menu.

Step 4 Click Add in the Add/Remove Snap-in dialog box.

Step 5 Select Certificates in the list of Available Standalone Snap-ins.

Step 6 Click Add.

Step 7 Select Computer account.

Step 8 Click Next.

Step 9 In the Select Computer dialog box, perform the following tasks:

a. Ensure that <Local Computer> (the computer this console is running on) is selected

b. Click Finish.

Step 10 Click Close.

Step 11 Click OK.

Step 12 In the left pane of the Certificates console, expand Certificates: Local Computer.

Step 13 Expand Trusted Root Certification Authorities.

Step 14 Right-click Certificates, and point to All Tasks.

Step 15 Click Import.

Step 16 In the Import Wizard, click Next.

Step 17 Click Browse and go to where you saved the certificate chain.

Step 18 Select the file, and click Open.

Step 19 Click Next.

Step 20 Leave the default value Place all certificates in the store and ensure that Trusted Root Certification Authorities appears under the Certificate store.

Step 21 Click Next.

Step 22 Click Finish.


What To Do Next

Requesting a Certificate from the CA Server

Requesting a Certificate from the CA Server

Before You Begin

Complete the steps in Installing the CA Certification Chain

Procedure


Step 1 Log in to the Access Edge server and open a web browser.

Step 2 Open the following URL: http://<ca_server_IP_address>/certsrv

Step 3 Click Request a Certificate.

Step 4 Click Advanced Certificate Request.

Step 5 Click Create and submit a request to this CA.

Step 6 Click Other in the Type of Certificate Needed list.

Step 7 Enter the FQDN of the Access Edge external interface for the Subject Common Name,

Step 8 Enter the following OID in the OID field:

1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2


Note A comma separates the two 1s in the middle of the OID.


Step 9 Perform one of the following procedures:

a. If you are using Windows Certificate Authority 2003, check Store certificate in the local computer certificate store in Key Options.

b. If you are using Windows Certificate Authority 2008, refer to the workaround described in the Troubleshooting Tips of this section. Enter a friendly name.

Step 10 Enter a friendly name.

Step 11 Click Submit.


What To Do Next

Downloading the Certificate from the CA Server

Downloading the Certificate from the CA Server

Before You Begin

Complete the steps in Requesting a Certificate from the CA Server

Procedure


Step 1 Launch the CA console by selecting Start -> Administrative Tools -> Certificate Authority.

Step 2 Click on Pending Requests in the left pane.

Step 3 Right-click on the certificate request that you submitted in the right pane,.

Step 4 Click All Tasks > Issue.

Step 5 Open http://<local_server>/certsrv on the Access Edge server that CA is running on.

Step 6 Click on your certificate request from View the Status of a Pending Certificate Request.

Step 7 Click Install this certificate.


What To Do Next

Uploading the Certificate onto Access Edge

Uploading the Certificate onto Access Edge

This procedure describes how to upload the certificate on the Access Edge server using the Certificate Wizard. You can also import the certificates manually on the Access Edge server by selecting Microsoft Office Communications Server 2007 > Properties > Edge Interfaces.

Before You Begin

Complete the steps in Downloading the Certificate from the CA Server

Procedure


Step 1 Select Start > Administrative Tools > Computer Management on the Access Edge server.

Step 2 Right-click on Microsoft Office Communications Server 2007 in the left pane.

Step 3 Click Certificates.

Step 4 Click Next.

Step 5 Click the Assign an existing certificate task option.

Step 6 Click Next.

Step 7 Select the certificate that you wish to use for the External Access Edge Interface, and click Next.

Step 8 Click Next.

Step 9 Click the Edge Server Public Interface checkbox, and click Next.

Step 10 Click Next.

Step 11 Click Finish.


What To Do Next

Configuring the TLS Proxy on Cisco Adaptive Security Appliance

Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority

Refer to these instructions if you are using a Microsoft Enterprise Certificate Authority to issue a client/server role certificate to the external interface of Access Edge or to the public interface of the Cisco Adaptive Security Appliance.

Before You Begin

These steps require that the Certificate Authority is an Enterprise CA and is installed on the Enterprise Edition of either Windows Server 2003 or 2008.

For additional details about these steps, refer to the Microsoft instructions: http://technet.microsoft.com/en-us/library/bb694035.aspx

Creating and Issuing a Custom Certificate Template

Procedure


Step 1 Follow Steps 1- 6 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.

http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_siteserver1


Tip For Step 5, use a more appropriate name for this specific template, such as Mutual Authentication Certificate.


Step 2 Follow these steps in place of Steps 7-12 from the Microsoft site:

a. Select the Extensions tab. Make sure that under Application Policies that both Client Authentication and Server Authentication are present and that no other Policies are present. If these policies are not available, then you must add them before proceeding.

In the Edit Application Policies Extension dialog box, select Add.

In the Add Application Policy dialog box, select Client Authentication, press Shift and select Server Authentication, and then click Add.

In the Edit Application Policies Extension dialog box, select any other policy that may be present and then select Remove.

In the Properties of New Template dialog box, you should now see listed as the description of Application Policies: Client Authentication, Server Authentication.

b. Select the Issuance Requirement tab. If you do not want the Certificate to be automatically issued, then select CA certificate manager approval. Otherwise, leave this option blank.

c. Select the Security tab and ensure that all required users and groups have both read and enroll permission.

d. Select the Request Handling tab and select the CSP button.

e. On the CSP Selection dialog box select Requests must use one of the following CSP's.

f. From the list of CSP's select Microsoft Basic Cryptographic Provider v1.0 and Microsoft Enhanced Cryptographic Provider v1.0, and select OK.

Step 3 Continue with Steps 13-15 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.

http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_siteserver1


What To Do Next

Requesting the Site Server Signing Certificate

Requesting the Site Server Signing Certificate

Procedure


Step 1 Follow Steps 1-6 from the Microsoft site: Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server.

http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_siteserver2


Tip For Step 5, select the name of the certificate template you created previously, such as Mutual Authentication Certificate and enter the external FQDN of the access edge in the Name field.


Step 2 Follow these steps in place of Steps 7-8 from the Microsoft site:

a. If the certificate request is automatically issued then you will be presented with an option to install the signed certificate. Select Install this Certificate.

b. If the certificate request is not automatically issued then you will need to wait for the administrator to issue the certificate. Once issued:

On the member server, load Internet Explorer and connect to the Web enrollment service with the address http://<server>/certsrv where <server> is the name or IP address of the Enterprise CA.

On the Welcome page, select View the status of a pending certificate request.

c. Select the issued certificate and select Install this Certificate.


Configuring Security Certificates on Lync Edge Server for TLS Federation

The following guide from Microsoft's TechNet Library (http://technet.microsoft.com/en-us/library/gg398409(v=ocs.14).aspx) explains how to configure certificates on Access Edge for TLS federation with Microsoft Lync. Cisco Unified Presence requires Mutual TLS authentication for federated connections, therefore you must configure Microsoft Lync certificates to support both Server and Client Authentication. When you follow the above guide, skip section 2 and move instead to section 3 which describes how to create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL. AOL has the same mutual TLS authentication requirement as Cisco Unified Presence. You can also use this guide to configure Lync Server to federate directly with Cisco Unified Presence over TLS.

For information about how to configure static routes on Lync server for direct federation, see .

Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway

AOL requires that the Cisco Adaptive Security Appliance certificate is signed by a trusted Certificate Authority. AOL has an established trust list of Certificate Authorities (CA) such as those commonly used in Windows or those in libraries distributed with the major browsers. If you wish to use a CA that is not on the AOL trust list, work with your Cisco representative to provide this information to AOL.

A sample configuration workflow that describes in detail how to configure certificate exchange between Cisco Adaptive Security Appliance and a foreign domain (Microsoft Access Edge) using the Verisign CA is provided in the appendix of this guide. Use this procedure as a reference to configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA. A high-level overview of the configuration steps is provided below.

To configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA, complete these steps:

Download the AOL root certificate from https://pki-info.aol.com/AOL/.

Download the AOL member certificate from https://pki-info.aol.com/AOLMSPKI/index.html

Delete any old intermediate and signed certificate, and the trustpoint for the root certificate on Cisco Adaptive Security Appliance.

Create a new trust point on Cisco Adaptive Security Appliance for the AOL root certificate, see section Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance (steps 1-3).

Create a new trust point on Cisco Adaptive Security Appliance for the AOL member certificate.

Create a new trustpoint for the Verisign CA on Cisco Adaptive Security Appliance.

On Cisco Adaptive Security Appliance, import the root certificate, and then generate a Certificate Signing Request (CSR). See section Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment for a similar procedure.


Note The Cisco Unified Presence server certificate subject CN must match FQDN of the Cisco Unified Presence server. The public Certificate on Cisco Adaptive Security Appliance for Cisco Unified Presence and the CN must be the same as the Federation Routing CUP FQDN service parameter value.


Submit the CSR to the Verisign CA.

Verisign CA provides you with the following certificates:

Verisign signed certificate

Verisign subordinate intermediate root certificate

Verisign root CA certificate

On Cisco Adaptive Security Appliance, delete the temporary root certificate used to generate the Certificate Signing Request.

Import the Verisign subordinate intermediate root certificate to Cisco Adaptive Security Appliance.

Create a trustpoint for the Verisign root CA certificate on Cisco Adaptive Security Appliance.

Import the Verisign root CA certificate to Cisco Adaptive Security Appliance, and then import the Verisign signed certificate to Cisco Adaptive Security Appliance.

Provide the VeriSign root and intermediate certificates to AOL.


Note You must provide AOL with the root CA if the CA is not already in the AOL trust list.


Related Topics

Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance

Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment

Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge Using VeriSign

AOL Routing Information Requirements