41-17
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Configuring CA Certificate Map Rules
You can configure rules based on the Issuer and Subject fields of a certificate. Using the rules you create,
you can map IPsec peer certificates to tunnel groups with the tunnel-group-map command. The ASA
supports one CA certificate map, which can include many rules.
To configure a CA certificate map rule, perform the following steps:
Command Purpose
Step1 crypto ca certificate map sequence-number
Example:
hostname(config)# crypto ca certificate map 1
Enters CA certificate map configuration mode for the
rule you want to configure and specifies the rule
index number.
Step2 issuer-name DN-string
Example:
hostname(config-ca-cert-map)# issuer-name
cn=asa.example.com
Specifies the distinguished name of all issued
certificates. which is also the subject-name DN of the
self-signed CA certificate. Use commas to separate
attribute-value pairs. Insert quotation marks around any
value that includes a comma. An issuer-name must be
less than 500 alphanumeric characters. The default
issuer-name is cn=hostame.domain-name.
Step3 subject-name attr tag eq | co | ne | nc string
Example:
hostname(config-ca-cert-map)# subject-name attr cn
eq mycert
Specifies tests that the ASA can apply to values
found in the Subject field of certificates. The tests
can apply to specific attributes or to the entire field.
You can configure many tests per rule, and all the
tests you specify with these commands must be true
for a rule to match a certificate. The following are
valid operators:
eq—The field or attribute must be identical to the
value given.
ne—The field or attribute cannot be identical to
the value given.
co—Part or all of the field or attribute must
match the value given.
nc—No part of the field or attribute can match
the value given.
Step4 write memory
Example:
hostname (config)# write memory
Saves the running configuration.