41-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Configuring Digital Certificates
This section describes how to configure local CA certificates. Make sure that you follow the sequence
of tasks listed to correctly configure this type of digital certificate. This section includes the following
topics:
Configuring Key Pairs, page41-9
Removing Key Pairs, page41-10
Configuring Trustpoints, page41-10
Configuring CRLs for a Trustpoint, page41-13
Exporting a Trustpoint Configuration, page 41-15
Importing a Trustpoint Configuration, page 41-16
Configuring CA Certificate Map Rules, page41-17
Obtaining Certificates Manually, page41-18
Obtaining Certificates Automatically with SCEP, page41-20
Configuring Proxy Support for SCEP Requests, page41-21
Enabling the Local CA Server, page41-22
Configuring the Local CA Server, page41-23
Customizing the Local CA Server, page41-25
Debugging the Local CA Server, page 41-26
Disabling the Local CA Server, page 41-26
Deleting the Local CA Server, page41-26
Configuring Local CA Certificate Characteristics, page41-27

Configuring Key Pairs

To generate key pairs, perform the following steps:
Command Purpose
Step1 crypto key generate rsa
Example:
hostname/contexta(config)# crypto key generate rsa
Generates one, general-purpose RSA key pair. The
default key modulus is 1024. To specify other
modulus sizes, use the modulus keyword.
Note Many SSL connections using identity
certificates with RSA key pairs that exceed
1024 bits can cause high CPU usage on the
ASA and rejected clientless logins.
Step2 crypto key generate rsa label key-pair-label
Example:
hostname/contexta(config)# crypto key generate rsa
label exchange
(Optional) Assigns a label to each key pair. The label
is referenced by the trustpoint that uses the key pair.
If you do not assign a label, the key pair is
automatically labeled, Default-RSA-Key.