Cisco Systems OL-16647-01 manual Default Local CA Server, Configurable Parameters, Defaults, 33-13

Page 13

Chapter 33 Configuring Certificates

Local Certificate Authority

Note The local CA provides a certificate authority on the adaptive security appliance for use with SSL VPN connections, both browser- and client-based.

User enrollment is by browser webpage login. The Local CA integrates basic certificate authority functionality on the security appliance, deploys certificates, and provides secure revocation checking of issued certificates.

The following Local CA options allow you to initialize and set up the Local CA server and user database:

Configure the Local CA Server on the security appliance. See Configuring the Local CA Sever.

Revoke/Unrevoke Local CA Certificates and update CRL. See Manage User Certificates.

Add, edit, and, delete Local CA users. See Manage User Database.

Default Local CA Server

The Local CA window displays the parameters to be configured for setting up a Local CA Server on the security appliance. The default characteristics of the initial Local CA server are listed in the following:

Configurable Parameters

Enable/Disable buttons activate or deactivate the Local CA server.

The Enable passphrase secures the Local CA server from unauthorized or accidental shutdown

Certificate Issuer’s Name

Issued certificate keypair size

Local CA Certificate key-pair size

Length of time the server certificate is valid

Length of time an issued user certificate

Simple Mail Transfer Protocol (SMTP) Server IP Address for Local CA e-mail

From-e-mail address that issues Local CA user certificate e-mail notices

Subject line in Local CA e-mail notices

More Options

Certificate Revocation List (CRL) Distribution Point (CDP), the location of the CRL on the Local CA security appliance

Length of time CRL is valid

Database Storage Location

Subject-name DN default to append to a username on issued certificates

Post-enrollment/renewal period for retrieving an issued certificate PKC12 file

Defaults

Default is disabled. Select Enable to activate the Local CA server.

Required - No default. Supply a word with a minimum of seven alphanumeric characters)

cn=hostname.domainname

1024 bits per key

1024 bits per key

Server Certificate=3 yrs.

User Certificate=1 yr.

Required - No default. You supply the SMTP

mail server IP address.

Required - No default. Supply an e-mail address in adminname@host.com format.

“Certificate Enrollment Invitation”

More Defaults

Specify the location of the CRL on the Local CA security appliance, http://hostname.domain/+CSCOCA+/asa_ca.crl

CRL =6 hrs.

On-board flash memory

Optional - No default Supply a subject-name default value.

24 hours

 

Length of time a one-time password is valid

72 hrs. (three days)

 

Days be expiration reminders are sent

14 days prior to certificate expiration.

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

 

 

 

 

OL-16647-01

 

 

33-13

 

 

 

 

 

Image 13
Contents A P T E R CA Certificate AuthenticationCA Certificates Fields 33-1Modes Firewall Mode Security Context Multiple RoutedSingle Context System 33-2Show CA Certificate Details Edit CA Certificate ConfigurationRequest CRL Delete a CA CertificateRevocation Check Configuration Configuration Options for CA CertificatesCRL Retrieval Policy Configuration 33-433-5 Advanced Configuration Options33-6 Identity Certificates AuthenticationAdd Identity Certificate Fields Add/Install an Identity Certificate33-7 Certificate Subject DN Attributes Show Identity Certificate Details33-8 Export an Identity Certificate Delete an Identity CertificateExport Identity Certificate Fields 33-9Generate Certificate Signing Request Installing Identity CertificatesGenerate Certificate Signing Request Fields 33-10Code-Signer Certificates To install an Identity CertificateTo Add the Identity Certificate 33-11Show Code-Signer Certificate Details Local Certificate AuthorityDelete a Code-Signer Certificate Import or Export a Code-Signer CertificateConfigurable Parameters Default Local CA ServerDefaults 33-1333-14 Configuring the Local CA Sever33-15 More Local CA Configuration Options33-16 33-17 Deleting the Local CA ServerManage User Database Manage User CertificatesRevoking a Local CA Certificate Unrevoking a Local CA CertificateDelete a Local CA User Edit a Local CA UserAllow Enrollment Email OTP33-20