Filter
Top Products
19-29
Cisco ASDM User Guide
OL-16647-01
Chapter 19 Adding Global Objects
CTL File
The Create a Certificate Trust List (CTL) File pane is used to configure the attributes for generating the
CTL file. The name of the CTL file instance is generated by the ASDM. When the user tries to edit the
CTL file instance configuration, the ASDM automatically generates the shutdown CLI command first
and the no shutdown CLI command as the last command.
This pane is available from the Configuration > Firewall > Advanced > Encrypted Traffic Inspection >
CTL File pane.
Step 1 Open the Configuration > Firewall > Advanced > Encrypted Traffic Inspection > CTL File pane.
Step 2 Check the Enable Certificate Trust List File check box to enable the feature.
Step 3 To specify the CTL file to use for the Phone Proxy, perform one of the following:
• If there is an existing CTL file available, download the CTL file to Flash memory by using the File
Management Tool in the ASDM Tools menu. Select the Use certificates present in the CTL stored
in flash radio button and specify the CTL file name and path in the text box.
Use an existing CTL file to install the trustpoints for each entity in the network (CUCM, CUCM and
TFTP, TFTP server, CAPF) that the IP phones must trust. If you have an existing CTL file that
contains the correct IP addresses of the entities (namely, the IP address that the IP phones use for
the CUCM or TFTP servers), you can be use it to create a new CTL file. Store a copy of the existing
CTL file to Flash memory and rename it something other than
CTLFile.tlv
• If there is no existing CTL file available, select Create new CTL file radio button.
Add Record entries for each entity in the network such as CUCM, TFTP, and CUCM-TFTP option
by clicking Add. The Add Record Entry dialog box opens. See Add/Edit Record Entry, page 19-29.
Step 4 Specify the number SAST certificate tokens required. The default is 2. maximum allowed is 5.
Because the Phone Proxy generates the CTL file, it needs to create the System Administrator Security
Token (SAST) key to sign the CTL file itself. This key can be generated on the security appliance. A
SAST is created as a self-signed certificate. Typically, a CTL file contains more than one SAST. In case
a SAST is not recoverable, the other one can be used to sign the file later.
Step 5 Click Apply to save the CTL file configuration settings.
Add/Edit Record Entry
Note This feature is not supported for ASDM version 6.1.5 or the Adaptive Security Appliance version 8.1.2.
Use the Add/Edit Record Entry dialog box to specify the trustpoints to be used for the creation of the
CTL file.
Add additional record-entry configurations for each entity that is required in the CTL file.
Fields
Type—Specifies the type of trustpoint to create:
• cucm: Specifies the role of this trustpoint to be CCM. Multiple CCM trustpoints can be configured.
• cucm-tftp: Specifies the role of this trustpoint to be CCM+TFTP. Multiple CCM+TFTP trustpoints
can be configured.
• tftp: Specifies the role of this trustpoint to be TFTP. Multiple TFTP trustpoints can be configured.