Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

44-17

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter44 Configuring Digital Certificates

Configuring Identity Certificates Authentication

Step10 Choose the modulus size from the drop-down list. If you are not sure of the modulus size, consult

Entrust.

Step11 Choose the key pair usage by clicking the General purpose radio button (default) or Special radio

button. When you choose the Special radio button, the ASA generates two key pairs, one for signature

use and one for encryption use. This selection indicates that two certificates are required for the

corresponding identity.

Step12 Click Generate Now to create new key pairs, and then click Show to display the Key Pair Details dialog

box, which includes the following display-only information:

•The name of the key pair whose public key is to be certified.

•The time of day and the date when the key pair is generated.

•The usage of an RSA key pair.

•The modulus size (bits) of the key pairs: 512, 768, 1024, and 2048. The default is 1024.

•The key data, which includes the specific key data in text format.

Step13 Click OK when you are done to close the Key Pair Details dialog box.

Step14 Choose a certificate subject DN to form the DN in the identity certificate. and then click Select to display

the Certificate Subject DN dialog box.

Step15 Choose one or more DN attributes that you want to add from the drop-down list, enter a value, and then

click Add. Available X.500 attributes for the Certificate Subject DN are the following:

•Common Name (CN)

•Department (OU)

•Company Name (O)

•Country (C)

•State/Province (ST)

•Location (L)

•E-mail Address (EA)

Step16 Click OK when you are done to close the Certificate Subject DN dialog box.

Step17 To create self-signed certificates, check the Generate self-signed certificate check box.

Step18 To have the identity certificate act as the local CA, check the Act as local certificate authority and

issue dynamic certificates to TLS proxy check box.

Step19 To establish additional identity certificate settings, click Advanced.

The Advanced Options dialog box appears, with the following three tabs: Certificate Parameters,

Enrollment Mode, and SCEP Challenge Password.

Note Enrollment mode settings and the SCEP challenge password are not available for self-signed

certificates.

Step20 Click the Certificate Parameters tab, and then enter the following information:

•The FQDN, an unambiguous domain name, to indicate the position of the node in the DNS tree

hierarchy.

•The e-mail address associated with the identity certificate.

•The ASA IP address on the network in four-part, dotted-decimal notation.

Cisco Systems - page 1007