41-20
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Obtaining Certificates Automatically with SCEP
To obtain certificates automatically using SCEP, perform the following steps:
Command Purpose
Step1 crypto ca authenticate trustpoint
Example:
hostname/contexta(config)# crypto ca authenticate
Main
Obtains the CA certificate for the configured
trustpoint.
Note This step assumes that you have already
obtained a base-64 encoded CA certificate
from the CA represented by the trustpoint.
When you configure the trustpoint, use of the
enrollment url command determines whether or not
you must obtain certificates automatically via SCEP.
For more information, see the “Configuring
Trustpoints” section on page 41-10.
Step2 crypto ca enroll trustpoint
Example:
hostname/contexta(config)# crypto ca enroll Main
Enrolls the ASA with the trustpoint. Retrieves a
certificate for signing data and depending on the type
of keys that you have configured, for encrypting data.
Before entering this command, contact the CA
administrator, who may need to authenticate the
enrollment request manually before the CA grants
certificates.
If the ASA does not receive a certificate from the CA
within one minute (the default) of sending a
certificate request, it resends the certificate request.
The ASA continues sending a certificate request each
minute until a certificate is received.
If the fully qualified domain name configured for the
trustpoint is not identical to the fully qualified
domain name of the ASA, including the case of the
characters, a warning appears. To resolve this issue,
exit the enrollment process, make any necessary
corrections, and reenter the crypto ca enroll
command.
Note If the ASA reboots after you have issued the
crypto ca enroll command but before you
have received the certificate, reenter the
crypto ca enroll command and notify the CA
administrator.