SIP federation security certificate configuration with Cisco Adaptive Security Appliance
and Presence Service Release 9.0(1) or later supports interdomain
federation with Microsoft Lync. Any reference to interdomain federation with
OCS also includes Microsoft Lync, unless explicitly stated otherwise.
Generate key pair and trustpoints on Cisco Adaptive Security Appliance
You need to generate the key pair for this certification (for
cup_proxy_key), and configure a trustpoint to identify the
self-signed certificate from
Cisco Adaptive Security Appliance to
IM and Presence Service (for example
cup_proxy). You need to specify the enrollment type as
"self" to indicate you are generating a self-signed certificate on
CiscoAdaptive Security Appliance, and specify the certificate subject name as the IP address
of the inside interface.
Before You Begin
Ensure you carried out the configuration tasks described in
the following chapters:
Import IM and Presence Service certificate into Cisco Adaptive Security Appliance
In order to import the
IM and Presence Service certificate onto
Cisco Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported
IM and Presence Service (e.g.
cert_from_cup), and specify the enrollment type as
"terminal" to indicate that you will paste the certificate
IM and Presence Service into the terminal.
It is essential that
IM and Presence Service,
Cisco Unified Communications Manager and
Cisco Adaptive Security Appliance servers are all syncing off the same NTP source.
When generating a trustpoint, you must specify an enrollment method to be used with the trustpoint. You can use Simple Certificate Enrollment Process (SCEP) as the enrollment method (assuming you are using a Microsoft CA), where you use the enrollment url command to define the URL to be used for SCEP enrollment with the trustpoint you declared. The URL defined should be the URL of your CA.
You can also use manual enrollment as the enrollment method, where you use the enrollment terminal command to indicate that you will paste the certificate received from the CA into the terminal. Both enrollment method procedures are described in this section. Refer to the Cisco Security Appliance Command Line Configuration Guide for further details about the enrollment method.
In order to use SCEP, you need to download the Microsoft SCEP add-on from the following URL:
Enter this command to generate a trustpoint to identify the CA.
crypto ca trustpoint <trustpoint_name>
Use the "client-types" sub-command to specify the client connection types for the trustpoint that can be used to validate the certificates associated with a user connection. Enter this command to specify a "client-types ssl" configuration which indicates that SSL client connections can be validated using this trustpoint:
(config-ca-trustpoint)# client-types ssl
Enter this command to configure the FQDN of the public IM and Presence Service address:
You may be issued a warning regarding VPN authentication here.
Enter this command to configure a keypair for the trustpoint:
Enter this command to configure the enrollment method for the trustpoint:
enrollment url http://<ip address of CA>/certsrv/mscep/mscep.dll
Enter this command to obtain the CA certificate for the trustpoint you configured:
crypto ca authenticate <trustpoint_name>
INFO: Certificate has the following attributes:
Fingerprint: cc966ba6 90dfe235 6fe632fc 2e521e48
Enter yes when you are prompted to accept the certificate from the CA.
Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.
Run the crypto ca enroll command.
crypto ca enroll <trustpoint_name>
The following warning output displays:
%WARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Enter yes when you are prompted to continue with the enrollment.
Would you like to continue with this enrollment? [yes/no]: yes% Start certificate enrollment..
Enter a password when you are prompted to create a challenge password.
% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Re-enter password: **********
Enter no when you are prompted to include the device serial number in the subject name.
Enter yes when you are prompted to request the certificate from the CA.
Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority
Go to the CA and issue the pending certificate (if the certificate was not issued automatically).
This procedure describes how to upload the certificate on
the Access Edge server using the Certificate Wizard. You can also import the
certificates manually on the Access Edge server by selecting
Microsoft Office Communications Server
2007 > Properties > Edge
Create custom certificate for Access Edge using enterprise certificate authority
Refer to these instructions if you are using a Microsoft Enterprise Certificate Authority to issue a client/server role certificate to the external interface of Access Edge or to the public interface of the Cisco Adaptive Security Appliance.
Before You Begin
These steps require that the Certificate Authority is an Enterprise CA and is installed on the Enterprise Edition of either Windows Server 2003 or 2008.
For Step 5, use a more appropriate name for this specific
template, such as Mutual Authentication Certificate.
Follow these steps in place of Steps 7-12 from the Microsoft site:
Extensions tab. Make sure that under
Client Authentication and
Server Authentication are present and that
no other Policies are present. If these policies are not available, then you
must add them before proceeding.
Edit Application Policies Extension
dialog box, select
Add Application Policy
dialog box, select
Client Authentication, press Shift
Server Authentication, and then
In the Edit Application Policies
Extension dialog box, select any other policy that may be present
and then select
Properties of New Template dialog box,
you should now see listed as the description of Application Policies: Client
Authentication, Server Authentication.
Issuance Requirement tab. If you do not
want the Certificate to be automatically issued, then select
CA certificate manager approval.
Otherwise, leave this option blank.
Security tab and ensure that all required
users and groups have both read and enroll permission.
Request Handling tab and select the
CSP Selection dialog box select
Requests must use one of the following
From the list of CSP’s select
Microsoft Basic Cryptographic Provider v1.0 and
Microsoft Enhanced Cryptographic Provider v1.0, and select
Continue with Steps 13-15 from the Microsoft site: Creating and
Issuing the Site Server Signing Certificate Template on the Certification
For Step 5, select the name of the certificate template you
created previously, such as Mutual Authentication Certificate and enter the
external FQDN of the access edge in the
Follow these steps in place of Steps 7-8 from the Microsoft site:
If the certificate request is automatically issued then you
will be presented with an option to install the signed certificate. Select
Install this Certificate.
If the certificate request is not automatically issued then
you will need to wait for the administrator to issue the certificate. Once
On the member server, load Internet Explorer and connect
to the Web enrollment service with the address
http://<server>/certsrv where <server> is the name or IP
address of the Enterprise CA.
On the Welcome page, select
View the status of a pending certificate
Select the issued certificate and select
Install this Certificate.
Security certificate configuration on Lync Edge server for TLS federation
The following guide from Microsoft's TechNet Library (http://technet.microsoft.com/en-us/library/gg398409.aspx) explains how to configure certificates on Access Edge for TLS federation with Microsoft Lync. IM and Presence Service requires Mutual TLS authentication for federated connections, therefore you must configure Microsoft Lync certificates to support both Server and Client Authentication. When you follow the above guide, skip section 2 and move instead to section 3 which describes how to create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL. AOL has the same mutual TLS authentication requirement as IM and Presence Service. You can also use this guide to configure Lync Server to federate directly with IM and Presence Service over TLS.
Security certificate exchange between Cisco Adaptive Security Appliance and AOL SIP access gateway
AOL requires that the Cisco Adaptive Security Appliance certificate is signed by a trusted Certificate Authority. AOL has an established trust list of Certificate Authorities (CA) such as those commonly used in Windows or those in libraries distributed with the major browsers. If you wish to use a CA that is not on the AOL trust list, work with your Cisco representative to provide this information to AOL.
A sample configuration workflow that describes in detail how to configure certificate exchange between Cisco Adaptive Security Appliance and a foreign domain (Microsoft Access Edge) using the Verisign CA is provided in the appendix of this guide. Use this procedure as a reference to configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA. A high-level overview of the configuration steps is provided below.
To configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA, complete these steps:
The IM and Presence Service server certificate subject CN must match FQDN of the IM and Presence Service node. The public Certificate on Cisco Adaptive Security Appliance for IM and Presence Service and the CN must be the same as the Federation Routing IM and Presence FQDN service parameter value.
Submit the CSR to the Verisign CA.
Verisign CA provides you with the following certificates: