Cisco Systems OL-16647-01 manual Configuring the Local CA Sever, 33-14

Page 14

Chapter 33 Configuring Certificates

Local Certificate Authority

Configurable Parameters

Defaults

Length of time a one-time password is valid

72 hrs. (three days)

Caution: Delete Certificate Authority Server button permanently removes the server configuration.

Configuring the Local CA Sever

The CA Server window lets you customize, modify, and control Local CA server operation. This section describes the parameters that can be specified. Additional parameters are available when you click More Options. See More Local CA Configuration Options. For permanent removal of a configured Local CA, see Deleting the Local CA Server. To customize the Local CA server, first review the initial settings shown in the preceding table.

Note Issuer-nameand keysize server values cannot be changed once you enable the Local CA. Be sure to review all optional parameters carefully before you enable the configured Local CA.

Enable/Disable Buttons

The Enable/Disable buttons activate or deactivate the Local CA server. Once you enable the Local CA server with the Enable button, the security appliance generates the Local CA server certificate, key pair and necessary database files.

The self-signed certificate key usage extension has key encryption, key signature, CRL signing, and certificate signing ability. The Enable button also archives the Local CA server certificate and key pair to storage in a PKCS12 file.

Note Click Apply to be sure you save the Local CA certificate and key pair so the configuration is not lost if you reboot the security appliance.

When you select the Disable button to halt the Local CA server, you shutdown its operation on the security appliance. The configuration and all associated files remain in storage. Webpage enrollment is disabled while you change or reconfigure the Local CA.

Passphrase

When you enable the Local CA Server for the first time, you must provide an alphanumeric Enable passphrase. The passphrase protects the Local CA certificate and the Local CA certificate key pair archived in storage. The passphrase is required to unlock the PKCS12 archive if the Local CA certificate or key pair is lost and needs to be restored.

Note There is no default for the enable passphrase; the passphrase is a required argument for enabling

the Local CA Server. Be sure to keep a record of the enable passphrase in a safe place.

Issuer Name

The Certificate Issuer Name field contains the issuer’s subject name dn, formed using the username and the subject-name-default DN setting as cn=<FQDN>. The Local CA server is the entity granting the certificate. The default certificate name is provided in the format: cn=hostname.domainname.

 

Cisco Security Appliance Command Line Configuration Guide

33-14

OL-16647-01

Page 13 Page 15
Image 14
Page 13 Page 15
Contents CA Certificates Fields CA Certificate AuthenticationA P T E R 33-1Single Context System Firewall Mode Security Context Multiple RoutedModes 33-2Request CRL Edit CA Certificate ConfigurationShow CA Certificate Details Delete a CA CertificateCRL Retrieval Policy Configuration Configuration Options for CA CertificatesRevocation Check Configuration 33-4Advanced Configuration Options 33-5Identity Certificates Authentication 33-633-7 Add/Install an Identity CertificateAdd Identity Certificate Fields 33-8 Show Identity Certificate DetailsCertificate Subject DN Attributes Export Identity Certificate Fields Delete an Identity CertificateExport an Identity Certificate 33-9Generate Certificate Signing Request Fields Installing Identity CertificatesGenerate Certificate Signing Request 33-10To Add the Identity Certificate To install an Identity CertificateCode-Signer Certificates 33-11Delete a Code-Signer Certificate Local Certificate AuthorityShow Code-Signer Certificate Details Import or Export a Code-Signer CertificateDefaults Default Local CA ServerConfigurable Parameters 33-13Configuring the Local CA Sever 33-14More Local CA Configuration Options 33-1533-16 Deleting the Local CA Server 33-17Revoking a Local CA Certificate Manage User CertificatesManage User Database Unrevoking a Local CA CertificateAllow Enrollment Edit a Local CA UserDelete a Local CA User Email OTP33-20
Top Page Image Contents