Chapter 33 Configuring Certificates

Local Certificate Authority

CA Server Key Size

The CA Key Size parameter is the size of the used for the server certificate generated for the Local CA server. Key size can be 512, 768, 1024, or 2048 bits per key. The default size is 1024 bits per key.

Client Key Size

The Key Size field specifies the size of the key pair to be generated for each user certificate issued by the Local CA server. Key size can be 512, 768, 1024, or 2048 bits per key. The default size is 1024 bits per key.

CA Certificate Lifetime

The CA Certificate Lifetime field specifies the length of time in days that the CA server certificate is valid. The default for the CA Certificate is 3650 days (10 years).

The Local CA Server automatically generates a replacement CA certificate 30 days prior to the CA certificate expiration, allowing the replacement certificate to be exported and imported onto any other devices for Local CA certificate validation of user certificates issued by the Local CA certificate after expiration. The pre-expiration Syslog message:

%ASA-1-717049: Local CA Server certificate is due to expire in <days> days and a replace-

ment certificate is available for export.

Note When notified of this automatic rollover, the administrator must take action to ensure the new Local CA certificate is imported to all necessary devices prior to expiration.

Client Certificate Lifetime

The Client Certificate Lifetime field specifies the length of time in days that a user certificate issued by the CA server is valid. The default for the CA Certificate is 365 days (one year).

SMTP Server & Email Settings

To set up e-mail access for the Local CA server, you configure The Simple Mail Transfer Protocol (SMTP) e-mail server, the e-mail address from which to send e-mails to Local CA users, and you specify

astandard subject line for Local CA e-mails.

Server IP Address - The Server IP Address field requires the Local CA e-mail server’s IP address. There is no default for the server IP address; you must supply the SMTP mail server IP address.

From Address - The From Address field requires an e-mail address from which to send e-mails to Local CA users. Automatic e-mail messages carry one-time passwords to newly enrolled users and issue messages when certificates need to be renewed or updated. that issues Local CA user certificate e-mail notices. There is no From Address default value; you are required to supply an e-mail address in adminname@host.com format.

Subject - The Subject field is a line of text specifying the subject line in all e-mails send to users by the Local CA server. If you do not specify a subject field, the default inserted by the Local CA server is “Certificate Enrollment Invitation”.

More Local CA Configuration Options

CRL Distribution Point URL

The Certificate Revocation List (CRL) Distribution Point (CDP) is the location of the CRL on the security appliance. The default CRL DP location is http://hostname.domain/+CSCOCA+/asa_ca.crl.

 

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

OL-16647-01

 

 

33-15

 

 

 

 

 

Page 14 Page 16
Page 15
Image 15
Cisco Systems OL-16647-01 manual More Local CA Configuration Options, 33-15
Page 14 Page 16
Top Page Image Contents