Cisco Systems OL-16647-01 manual Configuring the Local CA Sever, 33-14

Chapter 33 Configuring Certificates

Local Certificate Authority

Caution: Delete Certificate Authority Server button permanently removes the server configuration.

Configuring the Local CA Sever

The CA Server window lets you customize, modify, and control Local CA server operation. This section describes the parameters that can be specified. Additional parameters are available when you click More Options. See More Local CA Configuration Options. For permanent removal of a configured Local CA, see Deleting the Local CA Server. To customize the Local CA server, first review the initial settings shown in the preceding table.

Note Issuer-nameand keysize server values cannot be changed once you enable the Local CA. Be sure to review all optional parameters carefully before you enable the configured Local CA.

Enable/Disable Buttons

The Enable/Disable buttons activate or deactivate the Local CA server. Once you enable the Local CA server with the Enable button, the security appliance generates the Local CA server certificate, key pair and necessary database files.

The self-signed certificate key usage extension has key encryption, key signature, CRL signing, and certificate signing ability. The Enable button also archives the Local CA server certificate and key pair to storage in a PKCS12 file.

Note Click Apply to be sure you save the Local CA certificate and key pair so the configuration is not lost if you reboot the security appliance.

When you select the Disable button to halt the Local CA server, you shutdown its operation on the security appliance. The configuration and all associated files remain in storage. Webpage enrollment is disabled while you change or reconfigure the Local CA.

Passphrase

When you enable the Local CA Server for the first time, you must provide an alphanumeric Enable passphrase. The passphrase protects the Local CA certificate and the Local CA certificate key pair archived in storage. The passphrase is required to unlock the PKCS12 archive if the Local CA certificate or key pair is lost and needs to be restored.

Note There is no default for the enable passphrase; the passphrase is a required argument for enabling

the Local CA Server. Be sure to keep a record of the enable passphrase in a safe place.

Issuer Name

The Certificate Issuer Name field contains the issuer’s subject name dn, formed using the username and the subject-name-default DN setting as cn=<FQDN>. The Local CA server is the entity granting the certificate. The default certificate name is provided in the format: cn=hostname.domainname.