Chapter 33 Configuring Certificates

Local Certificate Authority

Note The local CA provides a certificate authority on the adaptive security appliance for use with SSL VPN connections, both browser- and client-based.

User enrollment is by browser webpage login. The Local CA integrates basic certificate authority functionality on the security appliance, deploys certificates, and provides secure revocation checking of issued certificates.

The following Local CA options allow you to initialize and set up the Local CA server and user database:

Configure the Local CA Server on the security appliance. See Configuring the Local CA Sever.

Revoke/Unrevoke Local CA Certificates and update CRL. See Manage User Certificates.

Add, edit, and, delete Local CA users. See Manage User Database.

Default Local CA Server

The Local CA window displays the parameters to be configured for setting up a Local CA Server on the security appliance. The default characteristics of the initial Local CA server are listed in the following:

Configurable Parameters

Enable/Disable buttons activate or deactivate the Local CA server.

The Enable passphrase secures the Local CA server from unauthorized or accidental shutdown

Certificate Issuer’s Name

Issued certificate keypair size

Local CA Certificate key-pair size

Length of time the server certificate is valid

Length of time an issued user certificate

Simple Mail Transfer Protocol (SMTP) Server IP Address for Local CA e-mail

From-e-mail address that issues Local CA user certificate e-mail notices

Subject line in Local CA e-mail notices

More Options

Certificate Revocation List (CRL) Distribution Point (CDP), the location of the CRL on the Local CA security appliance

Length of time CRL is valid

Database Storage Location

Subject-name DN default to append to a username on issued certificates

Post-enrollment/renewal period for retrieving an issued certificate PKC12 file

Defaults

Default is disabled. Select Enable to activate the Local CA server.

Required - No default. Supply a word with a minimum of seven alphanumeric characters)

cn=hostname.domainname

1024 bits per key

1024 bits per key

Server Certificate=3 yrs.

User Certificate=1 yr.

Required - No default. You supply the SMTP

mail server IP address.

Required - No default. Supply an e-mail address in adminname@host.com format.

“Certificate Enrollment Invitation”

More Defaults

Specify the location of the CRL on the Local CA security appliance, http://hostname.domain/+CSCOCA+/asa_ca.crl

CRL =6 hrs.

On-board flash memory

Optional - No default Supply a subject-name default value.

24 hours

 

Length of time a one-time password is valid

72 hrs. (three days)

 

Days be expiration reminders are sent

14 days prior to certificate expiration.

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

 

 

 

 

OL-16647-01

 

 

33-13

 

 

 

 

 

Page 12 Page 14
Page 13
Image 13
Cisco Systems OL-16647-01 manual Default Local CA Server, Configurable Parameters, Defaults, 33-13
Page 12 Page 14
Top Page Image Contents