Filter
Top Products
33-14
Cisco Security Appliance Command Line Configuration Guide
OL-16647-01
Chapter 33 Configuring Certificates
Local Certificate Authority
Configuring the Local CA Sever
The CA Server window lets you customize, modify, and control Local CA server operation. This section
describes the parameters that can be specified. Additional parameters are available when you click More
Options. See More Local CA Configuration Options. For permanent removal of a configured Local CA,
see Deleting the Local CA Server. To customize the Local CA server, first review the initial settings
shown in the preceding table.
Note Issuer-name and keysize server values cannot be changed once you enable the Local CA. Be sure to
review all optional parameters carefully before you enable the configured Local CA.
Enable/Disable Buttons
The Enable/Disable buttons activate or deactivate the Local CA server. Once you enable the Local CA
server with the Enable button, the security appliance generates the Local CA server certificate, key pair
and necessary database files.
The self-signed certificate key usage extension has key encryption, key signature, CRL signing, and
certificate signing ability. The Enable button also archives the Local CA server certificate and key pair
to storage in a PKCS12 file.
Note Click Apply to be sure you save the Local CA certificate and key pair so the configuration is not
lost if you reboot the security appliance.
When you select the Disable button to halt the Local CA server, you shutdown its operation on the
security appliance. The configuration and all associated files remain in storage. Webpage enrollment is
disabled while you change or reconfigure the Local CA.
Passphrase
When you enable the Local CA Server for the first time, you must provide an alphanumeric Enable
passphrase. The passphrase protects the Local CA certificate and the Local CA certificate key pair
archived in storage. The passphrase is required to unlock the PKCS12 archive if the Local CA certificate
or key pair is lost and needs to be restored.
Note There is no default for the enable passphrase; the passphrase is a required argument for enabling
the Local CA Server. Be sure to keep a record of the enable passphrase in a safe place.
Issuer Name
The Certificate Issuer Name field contains the issuer’s subject name dn, formed using the username and
the subject-name-default DN setting as cn=<FQDN>. The Local CA server is the entity granting the
certificate. The default certificate name is provided in the format: cn=hostname.domainname.
Length of time a one-time password is valid 72 hrs. (three days)
Caution: Delete Certificate Authority Server button permanently
removes the server configuration.
Configurable Parameters Defaults