Filter
Top Products
33-24
Cisco ASDM User Guide
OL-16647-01
Chapter 33 Configuring Certificates
Local Certificate Authority
SMTP Server & Email Settings
To set up e-mail access for the Local CA server, you configure The Simple Mail Transfer Protocol
(SMTP) e-mail server, the e-mail address from which to send e-mails to Local CA users, and you specify
a standard subject line for Local CA e-mails.
• Server IP Address - The Server IP Address field requires the Local CA e-mail server’s IP address.
There is no default for the server IP address; you must supply the SMTP mail server IP address.
• From Address - The From Address field requires an e-mail address from which to send e-mails to
Local CA users. Automatic e-mail messages carry one-time passwords to newly enrolled users and
issue messages when certificates need to be renewed or updated. that issues Local CA user
certificate e-mail notices. There is no From Address default value; you are required to supply an
e-mail address in adminname@host.com format.
• Subject - The Subject field is a line of text specifying the subject line in all e-mails send to users by
the Local CA server. If you do not specify a subject field, the default inserted by the Local CA server
is “Certificate Enrollment Invitation”.
More Local CA Configuration Options
CRL Distribution Point URL
The Certificate Revocation List (CRL) Distribution Point (CDP) is the location of the CRL on the security
appliance. The default CRL DP location is http://hostname.domain/+CSCOCA+/asa_ca.crl.
Publish CRL Interface and Port:
To make the CRL available for HTTP download on a given interface or port. Select an interface from the
pull-down list. The optional port option can be any port number in a range of 1-65535. TCP port 80 is
the HTTP default port number.
The CDP URL can be configured to utilize the IP address of an interface, and the path of the CDP URL
and the file name can be configured also. (Note that you cannot rename the CRL; it always has the fixed
name, LOCAL-CA-SERVER.crl.)
For example, the CDP URL could be configured to be:
http://10.10.10.100/user8/my_crl_file In
this case only the interface with that IP address works, and, when the request comes in, the security
appliance matches the path /user8/my_crl_file to the configured CDP URL. When the path matches, the
security appliance returns the CRL file stored in storage. Note that the protocol must be http, so the
prefix is http://.
CRL Lifetime
The Certificate Revocation List (CRL) Lifetime field specifies the length of time in hours that the CRL
is valid. The default for the CA Certificate is six hours.
The Local CA updates and reissues the CRL every time a user certificate is revoked or unrevoked, but if
there are no revocation changes, the CRL is reissued once every CRL lifetime. You can force an
immediate CRL update and list regeneration with the CRL Issue button on the Manage CA Certificates
panel.
Database Storage Location
The Database Storage Location field allows you to specify a storage area for the Local CA configuration
and data files. The security appliance accesses and implements user information, issued certificates,
revocation lists, and so forth using a Local CA database.