41-38
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Renewing Users
To specify the timing of renewal notices, perform the following steps:
Command Purpose
Step1 crypto ca server
Example:
hostname (config)# crypto ca server
Enters local CA server configuration mode. Allows
you to configure and manage a local CA.
Step2 renewal-reminder time
Example:
hostname (config-ca-server )# renewal-reminder 7
Specifies the number of days (1-90) before the local
CA certificate expires that an initial reminder to
reenroll is sent to certificate owners. If a certificate
expires, it becomes invalid.
Renewal notices and the times they are e-mailed to
users are variable, and can be configured by the
administrator during local CA server configuration.
Three reminders are sent. An e-mail is automatically
sent to the certificate owner for each of the three
reminders, provided an e-mail address is specified in
the user database. If no e-mail address exists for the
user, a syslog message alerts you of the renewal
requirement.
The ASA automatically grants certificate renewal
privileges to any user who holds a valid certificate
that is about to expire, as long as the user still exists
in the user database. Therefore, if an administrator
does not want to allow a user to renew automatically,
the administrator must remove the user from the
database before the renewal time period.