Cisco Systems OL-16647-01 manual CA Certificate Authentication, A P T E R, CA Certificates Fields

Page 1

C H A P T E R 33

Configuring Certificates

Digital certificates provide digital identification for authentication. A digital certificate contains information that identifies a device or user, such as the name, serial number, company, department, or IP address. CAs issue digital certificates in the context of a PKI, which uses public-key/private-key encryption to ensure security. CAs are trusted authorities that “sign” certificates to verify their authenticity, thus guaranteeing the identity of the device or user.

For authentication using digital certificates, there must be at least one identity certificate and its issuing CA certificate on a security appliance, which allows for multiple identities, roots and certificate hierarchies. There a number of different types of digital certificates listed below:

A CA certificate is one used to sign other certificates. A CA certificate that is self-signed is called a root certificate; one issued by another CA certificate is called a subordinate certificate. See CA Certificate Authentication.

CAs also issue identity certificates, which are the certificates for specific systems or hosts. See Identity Certificates Authentication.

Code-signer certificates are special certificates used to create digital signatures to sign code, with the signed code itself revealing the certificate origin. See Code-Signer Certificates

The Local Certificate Authority (CA) integrates an independent certificate authority functionality on the security appliance, deploys certificates, and provides secure revocation checking of issued certificates. The Local CA provides a secure configurable inhouse authority for certificate authentication with user enrollment by browser web page login. See Local Certificate Authority, Manage User Certificates, and Manage User Database.

CA Certificate Authentication

The CA Certificates panel allows you to authenticate self-signed or subordinate CA certificates and to install them on the security appliance. You can create a new certificate configuration or you can edit an existing one.

If the certificate you select is configured for manual enrollment, you should obtain the CA certificate manually and import it here. If the certificate you select is configured for automatic enrollment, the security appliance uses the SCEP protocol to contact the CA, and then automatically obtains and installs the certificate.

CA Certificates Fields

Certificates —Displays a list of the certificates available identified by issued to and by, the date the certificate expires, and the certificate’s usage or purpose. You can click a certificate in the list and edit its configuration, or you can add a new certificate to the displayed list.

 

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

 

OL-16647-01

 

 

33-1

 

 

 

 

 

Page 1 Page 2
Image 1
Page 1 Page 2
Contents A P T E R CA Certificate AuthenticationCA Certificates Fields 33-1Modes Firewall Mode Security Context Multiple RoutedSingle Context System 33-2Show CA Certificate Details Edit CA Certificate ConfigurationRequest CRL Delete a CA CertificateRevocation Check Configuration Configuration Options for CA CertificatesCRL Retrieval Policy Configuration 33-433-5 Advanced Configuration Options33-6 Identity Certificates AuthenticationAdd Identity Certificate Fields Add/Install an Identity Certificate33-7 Certificate Subject DN Attributes Show Identity Certificate Details33-8 Export an Identity Certificate Delete an Identity CertificateExport Identity Certificate Fields 33-9Generate Certificate Signing Request Installing Identity CertificatesGenerate Certificate Signing Request Fields 33-10Code-Signer Certificates To install an Identity CertificateTo Add the Identity Certificate 33-11Show Code-Signer Certificate Details Local Certificate AuthorityDelete a Code-Signer Certificate Import or Export a Code-Signer CertificateConfigurable Parameters Default Local CA ServerDefaults 33-1333-14 Configuring the Local CA Sever33-15 More Local CA Configuration Options33-16 33-17 Deleting the Local CA ServerManage User Database Manage User CertificatesRevoking a Local CA Certificate Unrevoking a Local CA CertificateDelete a Local CA User Edit a Local CA UserAllow Enrollment Email OTP33-20
Top Page Image Contents