44-25
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 44 Configuring Digital Certificates
Authenticating Using the Local CA
Step 8 Enter the client certificate lifetime value, which specifies the number of days that a user certificate issued
by the CA server is valid. The default is 365 days (one year). Make sure that you limit the validity period
of the certificate to less than the recommended end date of 03:14:08 UTC, January 19, 2038.
In the SMTP Server & Email Settings area, you set up e-mail access for the local CA server by specifying
the following settings:
a. Enter the SMTP mail server name or IP address. Alternatively, click the ellipses (...) to display the
Browse Server Name/IP Address dialog box, where you can choose the server name or IP address.
Click OK when you are done to close the Browse Server Name/IP Address dialog box.
b. Enter the from address, from which to send e-mail messages to local CA users, in the format
“adminname@hostname.com.” Automatic e-mail messages carry one-time passwords to newly
enrolled users and issue e-mail messages when certificates need to be renewed or updated.
c. Enter the subject, which specifies the subject line in all messages that are sent to users by the local
CA server. If you do not specify a subject, the default is “Certificate Enrollment Invitation.”
Step 9 To configure additional options, click the More Options drop-down arrow.
Step 10 Enter the CRL distribution point, which is the CRL location on the ASA. The default location is
http://hostname.domain/+CSCOCA+/asa_ca.crl.
Step 11 To make the CRL available for HTTP download on a given interface and port, choose a publish-CRL
interface from the drop-down list. Then enter the port number, which can be any port number from
1-65535. The default port number is TCP port 80.
Note You cannot rename the CRL; it always has the name, LOCAL-CA-SERVER.crl.
For example, enter the URL, http://10.10.10.100/user8/my_crl_file.
In this case, only the interface with
the specified IP address works and when the request comes in, the ASA matches the path,
/user8/my_crl_file to the configured URL. When the path matches, the ASA returns the stored CRL file.
Step 12 Enter the CRL lifetime in hours that the CRL is valid. The default for the CA certificate is six hours.
The local CA updates and reissues the CRL each time that a user certificate is revoked or unrevoked, but
if no revocation changes occur, the CRL is reissued once every CRL lifetime. You can force an
immediate CRL update and regeneration by clicking Request CRL in the CA Certificates pane.
Step 13 Enter the database storage location to specify a storage area for the local CA configuration and data files.
The ASA accesses and implements user information, issued certificates, and revocation lists using a
local CA database. Alternatively, to specify an external file, enter the path name to the external file or
click Browse to display the Database Storage Location dialog box.
Step 14 Choose the storage location from the list of folders that appears, and click OK.
Note Flash memory can store a database with 3500 users or less; a database of more than 3500 users
requires external storage.
Step 15 Enter a default subject (DN string) to append to a username on issued certificates. The permitted DN
attributes are provided in the following list:
• CN (Common Name)
• SN (Surname)
• O (Organization Name)
• L (Locality)