41-30
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Configuring the CRL Lifetime
To configure the CRL lifetime, perform the following steps:
Configuring the Server Keysize
To configure the server keysize, perform the following steps:
Command Purpose
Step1 crypto ca server
Example:
hostname (config)# crypto ca server
Enters local CA server configuration mode. Allows
you to configure and manage a local CA.
Step2 lifetime crl time
Example:
hostname (config- ca-server)# lifetime crl 10
Sets the length of time that you want the CRL to
remain valid.
The local CA updates and reissues the CRL each time
that a user certificate is revoked or unrevoked, but if
no revocation changes occur, the CRL is reissued
automatically once each CRL lifetime. If you do not
specify a CRL lifetime, the default time period is six
hours.
Step3 crypto ca server crl issue
Example:
hostname(config)# crypto ca server crl issue
A new CRL has been issued.
Forces the issuance of a CRL at any time, which
immediately updates and regenerates a current CRL
to overwrite the existing CRL.
Note Do not use this command unless the CRL file
has been removed in error or has been
corrupted and must be regenerated.
Command Purpose
Step1 crypto ca server
Example:
hostname (config)# crypto ca server
Enters local CA server configuration mode. Allows
you to configure and manage a local CA.
Step2 keysize server
Example:
hostname (config- ca-server)# keysize server 2048
Specifies the size of the public and private keys
generated at user-certificate enrollment. The keypair
size options are 512, 768, 1024, 2048 bits, and the
default value is 1024 bits.
Note After you have enabled the local CA, you
cannot change the local CA keysize, because
all issued certificates would be invalidated.
To change the local CA keysize, you must
delete the current local CA and reconfigure a
new one.