Filter
Top Products
41-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 41 Configuring Digital Certificates
Configuring Digital Certificates
Configuring Digital Certificates
This section describes how to configure local CA certificates. Make sure that you follow the sequence
of tasks listed to correctly configure this type of digital certificate. This section includes the following
topics:
• Configuring Key Pairs, page 41-9
• Removing Key Pairs, page 41-10
• Configuring Trustpoints, page 41-10
• Configuring CRLs for a Trustpoint, page 41-13
• Exporting a Trustpoint Configuration, page 41-15
• Importing a Trustpoint Configuration, page 41-16
• Configuring CA Certificate Map Rules, page 41-17
• Obtaining Certificates Manually, page 41-18
• Obtaining Certificates Automatically with SCEP, page 41-20
• Configuring Proxy Support for SCEP Requests, page 41-21
• Enabling the Local CA Server, page 41-22
• Configuring the Local CA Server, page 41-23
• Customizing the Local CA Server, page 41-25
• Debugging the Local CA Server, page 41-26
• Disabling the Local CA Server, page 41-26
• Deleting the Local CA Server, page 41-26
• Configuring Local CA Certificate Characteristics, page 41-27
Configuring Key Pairs
To generate key pairs, perform the following steps:
Command Purpose
Step 1
crypto key generate rsa
Example:
hostname/contexta(config)# crypto key generate rsa
Generates one, general-purpose RSA key pair. The
default key modulus is 1024. To specify other
modulus sizes, use the modulus keyword.
Note Many SSL connections using identity
certificates with RSA key pairs that exceed
1024 bits can cause high CPU usage on the
ASA and rejected clientless logins.
Step 2
crypto key generate rsa label key-pair-label
Example:
hostname/contexta(config)# crypto key generate rsa
label exchange
(Optional) Assigns a label to each key pair. The label
is referenced by the trustpoint that uses the key pair.
If you do not assign a label, the key pair is
automatically labeled, Default-RSA-Key.