41-29
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Configuring the User Certificate Lifetime
To configure the user certificate lifetime, perform the following steps:
Step2 lifetime ca-certificate time
Example:
hostname (config-ca-server)# lifetime ca-certificate
365
Determines the expiration date included in the
certificate. The default lifetime of a local CA
certificate is three years.
Make sure that you limit the validity period of the
certificate to less than the recommended end date of
03:14:08 UTC, January 19, 2038.
Step3 no lifetime ca-certificate
Example:
hostname (config-ca-server)# no lifetime
ca-certificate
(Optional) Resets the local CA certificate lifetime to
the default value of three years.
The local CA server automatically generates a
replacement CA certificate 30 days before it expires,
which allows the replacement certificate to be
exported and imported onto any other devices for
certificate validation of user certificates that have
been issued by the local CA certificate after the
current local CA certificate has expired. The
following preexpiration syslog message is generated:
%ASA-1-717049: Local CA Server certificate is
due to expire in days days and a replacement
certificate is available for export.
Note When notified of this automatic rollover, the
administrator must make sure that the new
local CA certificate is imported onto all
required devices before it expires.
Command Purpose
Command Purpose
Step1 crypto ca server
Example:
hostname (config)# crypto ca server
Enters local CA server configuration mode. Allows
you to configure and manage a local CA.
Step2 lifetime certificate time
Example:
hostname (config- ca-server)# lifetime certificate
60
Sets the length of time that you want user certificates
to remain valid.
Note Before a user certificate expires, the local CA
server automatically initiates certificate
renewal processing by granting enrollment
privileges to the user several days ahead of
the certificate expiration date, setting renewal
reminders, and delivering an e-mail message
that includes the enrollment username and
OTP for certificate renewal. Make sure that
you limit the validity period of the certificate
to less than the recommended end date of
03:14:08 UTC, January 19, 2038.