This document is meant to assist with configuring LSC provisioning on an Adaptive Security Appliance (ASA) running the Phone Proxy (PP) feature. It is meant specifically for the 7960 or 7940 phones which do not come with a Manufacturer Installed Certificate (MIC) and need to use a Locally Significant Certificate (LSC) to register securely with PP. This also assumes that you are running a nonsecure Cisco Unified Call Manager (CUCM).
Familiar with the ASA CLI
Familiar with CUCMs’ management interface
ASA and CUCM clocks are set to the correct time.
Ensure that you meet these requirements before you attempt this configuration:
The phone you are using is able to register on the inside of the ASA.
CUCM 6.x, 7.x, 8.0.x
ASA 8.0.4 or later with phone proxy configured.
Secure USB tokens are NOT required.
The Steps for configuration are outlined below:
1)Configure CUCM to provision a LSC
Cisco Unified Serviceability > Tools > Service Activation
Select Cisco CTL Provider
Select Cisco Certificate Authority Proxy Function (CAPF)
2)Copy the CAPF Certificate from the CUCM
Cisco Unified OS Administrator
Security > Certificate Management > Find
Click on CAPF.pem
Download the CAPF.pem file
3)Create a trustpoint and import the cert on the ASA
On ASA cli
PhoneProxyASA(config)# crypto ca trustpoint capf_trustpoint