Cisco Systems OL-16647-01 Generate Certificate Signing Request, Installing Identity Certificates

Page 10

Chapter 33 Configuring Certificates

Identity Certificates Authentication

Generate Certificate Signing Request

This pane lets you generate a certificate signing request to send to Entrust. Be aware that at the time of this release, Entrust supports key modulus of size 1024 only. Consult Entrust if you are using any other value.

Generate Certificate Signing Request Fields

Key Pair—Use the drop-down menu to display the configured key pairs by name.

Show—Click to display information about the selected key pair, including date and time generated, usage (general or special purpose), modulus size, and key data.

New—Click to add a new key pair, providing a name, modulus size, and usage. When you generate the key pair, you have the option of sending it to the security appliance or saving it to a file.

Certificate Subject DN—Identifies DN attributes for the certificate.

Common Name (CN)—Enter the FQDN or IP address of the security appliance.

Organization (O)—Provide the name of the company.

Country (C)—Enter the two-letter code for the country.

Optional Parameters—Lets you add additional attributes for the signing request.

Additional DN Attributes—These include Department (OU), State (ST), Location (L), and E-mail Address (EA).

FQDN (SubjectAlt Name)—Use this certificate extension field to enter additional fully qualified domain name information if the CA requires it.

Generate Request—Click to generate the certificate signing request, which you can then Send to Entrust, or Save to File, and send later.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode

Security Context

 

 

 

 

 

 

 

 

 

Multiple

 

 

 

 

 

 

Routed

Transparent

Single

Context

System

 

 

 

 

 

 

 

 

 

 

Installing Identity Certificates

The Install button on the Identity Certificates window is inactivated unless there is a pending enrollment. Whenever the security appliance receives a Certificate Signing Request (CSR), the Identity Certificates window displays the pending ID certificate. When you highlight the pending Identity Certificate, the Install button activates.

When you transmit the pending file to a CA, the CA enrolls it and returns a certificate to the security appliance. Once you have the certificate, click the Install button and highlight the appropriate Identity and CA certificates to complete the operation.

The following steps illustrate adding and installing a pending Identity Certificate:

 

Cisco Security Appliance Command Line Configuration Guide

33-10

OL-16647-01

Page 9 Page 11
Image 10
Page 9 Page 11
Contents CA Certificates Fields CA Certificate AuthenticationA P T E R 33-1Single Context System Firewall Mode Security Context Multiple RoutedModes 33-2Request CRL Edit CA Certificate ConfigurationShow CA Certificate Details Delete a CA CertificateCRL Retrieval Policy Configuration Configuration Options for CA CertificatesRevocation Check Configuration 33-4Advanced Configuration Options 33-5Identity Certificates Authentication 33-6Add Identity Certificate Fields Add/Install an Identity Certificate33-7 Certificate Subject DN Attributes Show Identity Certificate Details33-8 Export Identity Certificate Fields Delete an Identity CertificateExport an Identity Certificate 33-9Generate Certificate Signing Request Fields Installing Identity CertificatesGenerate Certificate Signing Request 33-10To Add the Identity Certificate To install an Identity CertificateCode-Signer Certificates 33-11Delete a Code-Signer Certificate Local Certificate AuthorityShow Code-Signer Certificate Details Import or Export a Code-Signer CertificateDefaults Default Local CA ServerConfigurable Parameters 33-13Configuring the Local CA Sever 33-14More Local CA Configuration Options 33-1533-16 Deleting the Local CA Server 33-17Revoking a Local CA Certificate Manage User CertificatesManage User Database Unrevoking a Local CA CertificateAllow Enrollment Edit a Local CA UserDelete a Local CA User Email OTP33-20
Top Page Image Contents