44-11
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 44 Configuring Digital Certificates
Configuring CA Certificate Authentication
Step 1 In the main ASDM application window, choose Configuration > Remote Access VPN > Certificate
Management > CA Certificates.
Step 2 Click Add.
The Install Certificate dialog box appears. The selected trustpoint name appears in read-only format.
Step 3 To add a certificate configuration from an existing file, click the Install from a file radio button (this is
the default setting).
Step 4 Enter the path and file name, or click Browse to search for the file. Then click Install Certificate.
Step 5 The Certificate Installation dialog box appears with a confirmation message indicating that the
certificate was successfully installed. Click OK to close this dialog box.
Step 6 To enroll manually, click the Paste certificate in PEM format radio button.
Step 7 Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided, then click
Install Certificate.
Step 8 The Certificate Installation dialog box appears with a confirmation message indicating that the
certificate was successfully installed. Click OK to close this dialog box.
Step 9 To enroll automatically, click the Use SCEP radio button. The ASA contacts the CA using SCEP, obtains
the certificates, and installs them on the device. To use SCEP, you must enroll with a CA that supports
SCEP, and you must enroll via the Internet. Automatic enrollment using SCEP requires that you provide
the following information:
• The path and file name of the certificate to be automatically installed.
• The maximum number of minutes to retry certificate installation. The default is one minute.
• The number of retries for installing a certificate. The default is zero, which indicates unlimited
retries within the retry period.
Note See Prerequisites for SCEP Proxy Support when choosing to use the SCEP method to install
certficates.
Step 10 To display additional configuration options for new and existing certificates, click More Options.
The Configuration Options for CA Certificates pane appears.
Step 11 To continue, see the “Editing or Removing a CA Certificate Configuration” section on page 44-11.
Editing or Removing a CA Certificate Configuration
To change or remove an existing CA certificate configuration, perform the following steps:
Step 1 To change an existing CA certificate configuration, select it, and then click Edit.
The Edit Options for CA Certificates pane appears. To change any of these settings, see the following
sections for procedures:
• “Configuring CRL Retrieval Policy” section on page 44-13
• “Configuring CRL Retrieval Methods” section on page 44-13
• “Configuring OCSP Rules” section on page 44-14