Filter
Top Products
33-21
Cisco ASDM User Guide
OL-16647-01
Chapter 33 Configuring Certificates
Local Certificate Authority
Note The local CA provides a certificate authority on the adaptive security appliance for use with SSL VPN
connections, both browser- and client-based.
User enrollment is by browser webpage login. The Local CA integrates basic certificate authority
functionality on the security appliance, deploys certificates, and provides secure revocation checking of
issued certificates.
The following Local CA options allow you to initialize and set up the Local CA server and user database:
• Configure the Local CA Server on the security appliance. See Configuring the Local CA Sever.
• Revoke/Unrevoke Local CA Certificates and update CRL. See Manage User Certificates.
• Add, edit, and, delete Local CA users. See Manage User Database.
Default Local CA Server
The Local CA window displays the parameters to be configured for setting up a Local CA Server on the
security appliance. The default characteristics of the initial Local CA server are listed in the following:
Configurable Parameters Defaults
Enable/Disable buttons activate or deactivate the
Local CA server.
Default is disabled. Select Enable to activate
the Local CA server.
The Enable passphrase secures the Local CA server
from unauthorized or accidental shutdown
Required - No default.
Supply a word with a
minimum of seven alphanumeric characters)
Certificate Issuer’s Name cn=hostname.domainname
Issued certificate keypair size 1024 bits per key
Local CA Certificate key-pair size 1024 bits per key
Length of time the server certificate is valid Server Certificate=3 yrs.
Length of time an issued user certificate User Certificate=1 yr.
Simple Mail Transfer Protocol (SMTP) Server IP
Address for Local CA e-mail
Required - No default.
You supply the SMTP
mail server IP address.
From-e-mail address that issues Local CA user
certificate e-mail notices
Required - No default.
Supply an e-mail
address in adminname@host.com format.
Subject line in Local CA e-mail notices “Certificate Enrollment Invitation”
More Options More Defaults
Certificate Revocation List (CRL) Distribution Point
(CDP), the location of the CRL on the Local CA security
appliance
Specify the location of the CRL on the Local CA
security appliance,
http://hostname.domain/+CSCOCA+/asa_ca.crl
Length of time CRL is valid CRL =6 hrs.
Database Storage Location On-board flash memory
Subject-name DN default to append to a username on
issued certificates
Optional - No default
Supply a subject-name
default value.
Post-enrollment/renewal period for retrieving an
issued certificate PKC12 file
24 hours
Length of time a one-time password is valid 72 hrs. (three days)
Days be expiration reminders are sent 14 days prior to certificate expiration.