Cisco Systems OL-16647-01 manual 33-16

Page 16

Chapter 33 Configuring Certificates

Local Certificate Authority

Publish CRL Interface and Port:

To make the CRL available for HTTP download on a given interface or port. Select an interface from the pull-down list. The optional port option can be any port number in a range of 1-65535. TCP port 80 is the HTTP default port number.

The CDP URL can be configured to utilize the IP address of an interface, and the path of the CDP URL and the file name can be configured also. (Note that you cannot rename the CRL; it always has the fixed name, LOCAL-CA-SERVER.crl.)

For example, the CDP URL could be configured to be: http://10.10.10.100/user8/my_crl_file In this case only the interface with that IP address works, and, when the request comes in, the security appliance matches the path /user8/my_crl_file to the configured CDP URL. When the path matches, the security appliance returns the CRL file stored in storage. Note that the protocol must be http, so the prefix is http://.

CRL Lifetime

The Certificate Revocation List (CRL) Lifetime field specifies the length of time in hours that the CRL is valid. The default for the CA Certificate is six hours.

The Local CA updates and reissues the CRL every time a user certificate is revoked or unrevoked, but if there are no revocation changes, the CRL is reissued once every CRL lifetime. You can force an immediate CRL update and list regeneration with the CRL Issue button on the Manage CA Certificates panel.

Database Storage Location

The Database Storage Location field allows you to specify a storage area for the Local CA configuration and data files. The security appliance accesses and implements user information, issued certificates, revocation lists, and so forth using a Local CA database.

That Local CA database resides can be configured to be on an off-box file system that is mounted and accessible to the security appliance. To specify an external file or share, enter the pathname to the external file or click Browse and search for the file.

Note Flash memory can store a database with 3500 users or less, but a database of more than 3500 users requires off-box storage.

Default Subject Name

The Default Subject Name (DN) field allows you to specify a default subject name to append to a username on issued certificates. The permitted DN attribute keywords are listed in the following list:

Default Subject-name-default DN Keywords

CN=

Common Name

 

SN = Surname

 

 

O =

Organization Name

 

 

 

L

=

Locality

 

 

 

C

=

Country

 

 

 

 

 

 

 

OU

=

Organization Unit

 

 

 

 

 

 

 

 

 

 

 

 

EA

=

E-mail Address

 

 

 

 

 

 

 

 

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

33-16

 

 

 

 

 

OL-16647-01

 

 

 

 

 

 

 

Page 15 Page 17
Image 16
Page 15 Page 17
Contents CA Certificate Authentication A P T E RCA Certificates Fields 33-1Firewall Mode Security Context Multiple Routed ModesSingle Context System 33-2Edit CA Certificate Configuration Show CA Certificate DetailsRequest CRL Delete a CA CertificateConfiguration Options for CA Certificates Revocation Check ConfigurationCRL Retrieval Policy Configuration 33-4Advanced Configuration Options 33-5Identity Certificates Authentication 33-6Add Identity Certificate Fields Add/Install an Identity Certificate33-7 Certificate Subject DN Attributes Show Identity Certificate Details33-8 Delete an Identity Certificate Export an Identity CertificateExport Identity Certificate Fields 33-9Installing Identity Certificates Generate Certificate Signing RequestGenerate Certificate Signing Request Fields 33-10To install an Identity Certificate Code-Signer CertificatesTo Add the Identity Certificate 33-11Local Certificate Authority Show Code-Signer Certificate DetailsDelete a Code-Signer Certificate Import or Export a Code-Signer CertificateDefault Local CA Server Configurable ParametersDefaults 33-13Configuring the Local CA Sever 33-14More Local CA Configuration Options 33-1533-16 Deleting the Local CA Server 33-17Manage User Certificates Manage User DatabaseRevoking a Local CA Certificate Unrevoking a Local CA CertificateEdit a Local CA User Delete a Local CA UserAllow Enrollment Email OTP33-20
Top Page Image Contents