Chapter 33 Configuring Certificates
CA Certificate Authentication
•Add Button—Add a new certificate configuration to the list. See Add/Install a CA Certificate.
•Edit Button—Modify an existing certificate configuration. See Edit CA Certificate Configuration.
•Show Details Button— Display the details and issuer information for the selected certificate. See Show CA Certificate Details.
•Request CRL Button—Access the Certificate Revocation List (CRL) for an existing CA certificate. See Request CRL.
•Delete Button—Remove the configuration of an existing CA certificate. See Delete a CA Certificate.
•Apply Button—Save the new or modified CA certificate configuration.
•Reset Button—Remove any edits and return the display to the original contents.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode | Security Context | |
| | | | |
| | | Multiple | |
| | | | |
Routed | Transparent | Single | Context | System |
| | | | |
• | • | • | • | • |
| | | | |
Add/Install a CA Certificate
The CA Certificate panel lets you add a new certificate configuration from an existing file, by manually pasting a certificate, or by automatic enrollment. Click the appropriate option to activate one of the following:
•Install from a File:—To add a certificate configuration from an existing file, enter the path and file name, then click Install Certificate. You can type the pathname of the file in the box or you can click Browse and search for the file. Browse displays the Load CA certificate file dialog box that lets you navigate to the file containing the certificate.
•Paste certificate in PEM format:—For manual enrollment, copy and paste the PEM format certificate (base64 or hexadecimal format) into the panel, then click Install Certificate.
•Use SCEP:—For automatic enrollment, the security appliance contacts the CA using Simple Certificate Enrollment Protocol (SCEP) protocol, obtains the certificates, and installs them on the device. (SCEP). SCEP is a secure messaging protocol that requires minimal user intervention. SCEP lets you to enroll and install certificates using only the VPN Concentrator Manager. To use SCEP, you must enroll with a CA that supports SCEP, and you must enroll via the Internet.
SCEP automatic enrollment requires completion of the following fields:
–SCEP URL: HTTP:// Enter the path and file name of the certificate to be automatically installed.
–Retry Period: Specify the maximum number of minutes to retry installing a certificate.The default is one minute.
–Retry Count: Specify the number of retries for installing a certificate. The default is 0, which indicates unlimited retries within the retry period.
| Cisco Security Appliance Command Line Configuration Guide |
33-2 | OL-16647-01 |
