Cisco ASDM User Guide
Chapter 33 Configuring Certificates
Local Certificate Authority
Note Click Apply to be sure you save the Local CA certificate and key pair so the configuration is not
lost if you reboot the security appliance.
When you select the Disable button to halt the Local CA server, you shutdown its operation on the
security appliance. The configuration and all associated files remain in storage. Webpage enrollment is
disabled while you change or reconfigure the Local CA.
When you enable the Local CA Server for the first time, you must provide an alphanumeric Enable
passphrase. The passphrase protects the Local CA certificate and the Local CA certificate key pair
archived in storage. The passphrase is required to unlock the PKCS12 archive if the Local CA certificate
or key pair is lost and needs to be restored.
Note There is no default for the enable passphrase; the passphrase is a required argument for enabling
the Local CA Server. Be sure to keep a record of the enable passphrase in a safe place.
Issuer Name
The Certificate Issuer Name field contains the issuer’s subject name dn, formed using the username and
the subject-name-default DN setting as cn=<FQDN>. The Local CA server is the entity granting the
certificate. The default certificate name is provided in the format: cn=hostname.domainname.
CA Server Key Size
The CA Key Size parameter is the size of the used for the server certificate generated for the Local CA
server. Key size can be 512, 768, 1024, or 2048 bits per key. The default size is 1024 bits per key.
Client Key Size
The Key Size field specifies the size of the key pair to be generated for each user certificate issued by
the Local CA server. Key size can be 512, 768, 1024, or 2048 bits per key. The default size is 1024 bits
per key.
CA Certificate Lifetime
The CA Certificate Lifetime field specifies the length of time in days that the CA server certificate is
valid. The default for the CA Certificate is 3650 days (10 years).
The Local CA Server automatically generates a replacement CA certificate 30 days prior to the CA
certificate expiration, allowing the replacement certificate to be exported and imported onto any other
devices for Local CA certificate validation of user certificates issued by the Local CA certificate after
expiration. The pre-expiration Syslog message:
%ASA-1-717049: Local CA Server certificate is due to expire in <days> days and a replace-
ment certificate is available for export.
Note When notified of this automatic rollover, the administrator must take action to ensure the new Local CA
certificate is imported to all necessary devices prior to expiration.
Client Certificate Lifetime
The Client Certificate Lifetime field specifies the length of time in days that a user certificate issued
by the CA server is valid. The default for the CA Certificate is 365 days (one year).