Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

44-24

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter44 Configuring Digital Certificates

Authenticating Using the Local CA

Note Be sure to review all optional settings carefully before you enable the configured local CA. After

you enable it, the certificate issuer name and key size server values cannot be changed.

The self-signed certificate key usage extension enables key encryption, key signature, CRL signature,

and certificate signature.

Step3 When you enable the local CA for the first time, you must enter and confirm an alphanumeric Enable

passphrase, which must have a minimum of seven, alphanumeric characters. The passphrase protects the

local CA certificate and the local CA certificate key pair archived in storage, and secures the local CA

server from unauthorized or accidental shutdown. The passphrase is required to unlock the PKCS12

archive if the local CA certificate or key pair is lost and must be restored.

Note The Enable passphrase is required to enable the local CA server. Be sure to keep a record of the

Enable passphrase in a safe location.

Step4 Click Apply to save the local CA certificate and key pair, so the configuration is not lost if you reboot

the ASA.

Step5 To change or reconfigure the local CA after the local CA has been configured for the first time, you must

shut down the local CA server on the ASA by unchecking the Enable Certificate Authority Server

check box. In this state, the configuration and all associated files remain in storage and enrollment is

disabled.

After the configured local CA has been enabled, the following two settings are display-only:

•The Issuer Name field, which lists the issuer subject name and domain name, and is formed using

the username and the subject-name-default DN setting as cn=FQDN. The local CA server is the

entity that grants the certificate. The default certificate name is provided in the format,

cn=hostname.domainname.

•The CA Server Key Size setting, which is used for the server certificate generated for the local CA

server. Key sizes can be 512, 768, 1024, or 2048 bits per key. The default is 1024 bits per key.

Step6 From the drop-down list, choose the client key size of the key pair to be generated for each user

certificate issued by the local CA server. Key sizes can be 512, 768, 1024, or 2048 bits per key. The

default is 1024 bits per key.

Step7 Enter the CA certificate lifetime value, which specifies the number of days that the CA server certificate

is valid. The default is 3650 days (10 years). Make sure that you limit the validity period of the certificate

to less than the recommended end date of 03:14:08 UTC, January 19, 2038.

The local CA server automatically generates a replacement CA certificate 30 days before expiration,

which enables the replacement certificate to be exported and imported onto any other devices for local

CA certificate validation of user certificates that have been issued by the local CA after they have

expired.

To notify users of the upcoming expiration, the following syslog message appears in the Latest ASDM

Syslog Messages pane:

%ASA-1-717049: Local CA Server certificate is due to expire in days days and a replacement

certificate is available for export.

Note When notified of this automatic rollover, the administrator must take action to make sure that

the new local CA certificate is imported to all necessary devices before it expires.

Cisco Systems - page 1014