Cisco Systems OL-16647-01 manual More Local CA Configuration Options, 33-15

Page 15

Chapter 33 Configuring Certificates

Local Certificate Authority

CA Server Key Size

The CA Key Size parameter is the size of the used for the server certificate generated for the Local CA server. Key size can be 512, 768, 1024, or 2048 bits per key. The default size is 1024 bits per key.

Client Key Size

The Key Size field specifies the size of the key pair to be generated for each user certificate issued by the Local CA server. Key size can be 512, 768, 1024, or 2048 bits per key. The default size is 1024 bits per key.

CA Certificate Lifetime

The CA Certificate Lifetime field specifies the length of time in days that the CA server certificate is valid. The default for the CA Certificate is 3650 days (10 years).

The Local CA Server automatically generates a replacement CA certificate 30 days prior to the CA certificate expiration, allowing the replacement certificate to be exported and imported onto any other devices for Local CA certificate validation of user certificates issued by the Local CA certificate after expiration. The pre-expiration Syslog message:

%ASA-1-717049: Local CA Server certificate is due to expire in <days> days and a replace-

ment certificate is available for export.

Note When notified of this automatic rollover, the administrator must take action to ensure the new Local CA certificate is imported to all necessary devices prior to expiration.

Client Certificate Lifetime

The Client Certificate Lifetime field specifies the length of time in days that a user certificate issued by the CA server is valid. The default for the CA Certificate is 365 days (one year).

SMTP Server & Email Settings

To set up e-mail access for the Local CA server, you configure The Simple Mail Transfer Protocol (SMTP) e-mail server, the e-mail address from which to send e-mails to Local CA users, and you specify

astandard subject line for Local CA e-mails.

Server IP Address - The Server IP Address field requires the Local CA e-mail server’s IP address. There is no default for the server IP address; you must supply the SMTP mail server IP address.

From Address - The From Address field requires an e-mail address from which to send e-mails to Local CA users. Automatic e-mail messages carry one-time passwords to newly enrolled users and issue messages when certificates need to be renewed or updated. that issues Local CA user certificate e-mail notices. There is no From Address default value; you are required to supply an e-mail address in adminname@host.com format.

Subject - The Subject field is a line of text specifying the subject line in all e-mails send to users by the Local CA server. If you do not specify a subject field, the default inserted by the Local CA server is “Certificate Enrollment Invitation”.

More Local CA Configuration Options

CRL Distribution Point URL

The Certificate Revocation List (CRL) Distribution Point (CDP) is the location of the CRL on the security appliance. The default CRL DP location is http://hostname.domain/+CSCOCA+/asa_ca.crl.

 

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

OL-16647-01

 

 

33-15

 

 

 

 

 

Page 14 Page 16
Image 15
Page 14 Page 16
Contents 33-1 CA Certificate AuthenticationA P T E R CA Certificates Fields33-2 Firewall Mode Security Context Multiple RoutedModes Single Context SystemDelete a CA Certificate Edit CA Certificate ConfigurationShow CA Certificate Details Request CRL33-4 Configuration Options for CA CertificatesRevocation Check Configuration CRL Retrieval Policy Configuration33-5 Advanced Configuration Options33-6 Identity Certificates AuthenticationAdd/Install an Identity Certificate Add Identity Certificate Fields33-7 Show Identity Certificate Details Certificate Subject DN Attributes33-8 33-9 Delete an Identity CertificateExport an Identity Certificate Export Identity Certificate Fields33-10 Installing Identity CertificatesGenerate Certificate Signing Request Generate Certificate Signing Request Fields33-11 To install an Identity CertificateCode-Signer Certificates To Add the Identity CertificateImport or Export a Code-Signer Certificate Local Certificate AuthorityShow Code-Signer Certificate Details Delete a Code-Signer Certificate33-13 Default Local CA ServerConfigurable Parameters Defaults33-14 Configuring the Local CA Sever33-15 More Local CA Configuration Options33-16 33-17 Deleting the Local CA ServerUnrevoking a Local CA Certificate Manage User CertificatesManage User Database Revoking a Local CA CertificateEmail OTP Edit a Local CA UserDelete a Local CA User Allow Enrollment33-20
Top Page Image Contents