25-59
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
PKI Enrollment Dialog Box—Enrollment Parameters Tab
Use the Enrollment Parameters tab of the PKI Enrollment dialog box to define the retry settings to use
when the device contacts the CA server as well as the settings for generating the RSA key pair to
associate with the certificate.
If the PKI enrollment object represents a Microsoft CA, you can define the challenge password required
to validate the router’s identity.
Note You do not have to define enrollment parameters in order to create or import a trustpoint in Security
Manager.
Navigation Path
Go to the PKI Enrollment dialog box and click the Enrollment Parameters tab. For information on
opening the dialog box, see PKI Enrollment Dialog Box, page 25-54.
Related Topics
PKI Enrollment Dialog Box—CA Information Tab, page25-55
PKI Enrollment Dialog Box—Certificate Subject Name Tab, page25-61
PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab, page25-62
Field Reference
Table25-12 PKI Enrollment Dialog Box—Enrollment Parameters Tab
Element Description
Challenge Password The password used by the CA server to validate the identity of the
device. This password is mandatory for PIX 6.3 devices, but optional
for PIX/ASA 7.0+ devices and Cisco IOS routers.
You can obtain the password by contacting the CA server directly or by
entering the following address in a web browser:
http://URLHostName/certsrv/mscep/mscep.dll. The password is
good for 60 minutes from the time you obtain it from the CA server.
Therefore, it is important that you deploy the password as soon as
possible after you create it.
Note Each password is valid for a single enrollment by a single
device. Therefore, we do not recommend that you assign a PKI
enrollment object where this field is defined to a VPN, unless
you first configure a device-level override for each device in the
VPN. For more information, see Understanding Policy Object
Overrides for Individual Devices, page6-17.
Retry Period The interval between certificate request attempts, in minutes. Values
can be 1 to 60 minutes. The default is 1 minute.
Retry Count The number of retries that should be made if no certificate is issued
upon the first request. Values can be 1 to 100. The default is 10.