41-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Licensing Requirements for Digital Certificates
Figure41-1 The Local CA
Licensing Requirements for Digital Certificates
The following table shows the licensing requirements for this feature:
Prerequisites for Local Certificates
Local certificates have the following prerequisites:
Make sure that the ASA is configured correctly to support certificates. An incorrectly configured
ASA can cause enrollment to fail or request a certificate that includes inaccurate information.
Make sure that the hostname and domain name of the ASA are configured correctly. To view the
currently configured hostname and domain name, enter the show running-config command. For
information about configuring the hostname and domain name, see the “Configuring the Hostname,
Domain Name, and Passwords” section on page10-1.
Make sure that the ASA clock is set accurately before configuring the CA. Certificates have a date
and time that they become valid and expire. When the ASA enrolls with a CA and obtains a
certificate, the ASA checks that the current time is within the valid range for the certificate. If it is
outside that range, enrollment fails.

Prerequisites for SCEP Proxy Support

Configuring the ASA as a proxy to submit requests for third-party certificates has the following
requirements:
AnyConnect Secure Mobility Client 3.0 or later must be running at the endpoint.
The authentication method, configured in the connection profile for your group policy, must be set
to use both AAA and certificate authentication.
User Enrollment Webpage
for PKCS12 Users Certificate
Enrollment and Retrieval
HTTP CRL retrieval
ASDM and CLI
configuration and
management
Local Database in flash memory
or Mounted external file system
(CIFS or FTP)
Security Device
with Local CA
Configured
191783
Model License Requirement
All models Base License.