41-37
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Step4 crypto ca server user-db show-otp
Example:
hostname (config- ca-server)# crypto ca server
user-db show-otp
Shows the issued OTP.
Step5 otp expiration timeout
Example:
hostname (config-ca-server)# otp expiration 24
Sets the enrollment time limit in hours. The default
expiration time is 72 hours. The otp expiration
command defines the amount of time that the OTP is
valid for user enrollment. This time period begins
when the user is allowed to enroll.
After a user enrolls successfully within the time limit
and with the correct OTP, the local CA server creates
a PKCS12 file, which includes a keypair for the user
and a user certificate that is based on the public key
from the keypair generated and the subject-name DN
specified when the user is added. The PKCS12 file
contents are protected by a passphrase, the OTP. The
OTP can be handled manually, or the local CA can
e-mail this file to the user to download after the
administrator allows enrollment.
The PKCS12 file is saved to temporary storage with
the name, username.p12. With the PKCS12 file in
storage, the user can return within the
enrollment-retrieval time period to download the
PKCS12 file as many times as needed. When the time
period expires, the PKCS12 file is removed from
storage automatically and is no longer available to
download.
Note If the enrollment period expires before the
user retrieves the PKCS12 file that includes
the user certificate, enrollment is not
permitted.
Command Purpose