Customizing The Local Ca Server - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 39
Configuring Certificates
Subject line in Local CA e-mail notices
* subject-name DN default to append to a
username on issued certificates
Days before expiration reminders are sent.
Post-enrollment/renewal period an issued
certificate file is available for re-use.
*Indicates values without defaults that you must configure.
Once the crypto ca server command executes, the Local CA is generated. A self-signed certificate is
created and associated with that Local CA on the security appliance when you execute the no shutdown
command. The self-signed certificate key usage extension has key encryption, key signature, CRL
signing, and certificate signing ability.
You can debug the configured default Local CA server with the debug crypto ca server command,
which displays debug messages during configuration and test. This command is detailed further on in
the section,
Note
Once the self-signed Local CA certificate is generated, to modify its characteristics you must delete the
existing Local CA server and completely recreate it.
Customizing the Local CA Server
This section describes configuring and enabling the Local CA server. Enabling it for the first time
generates the server certificate and keypair, which automatically produces a CA. To begin configuring
the Local CA server you must be in config-ca-server mode.
Once you execute the crypto ca server command to enter config-ca-server mode, you can begin to
configure the various parameters of the Local CA server on the security appliance. Typically, to
configure a customized Local CA server on a security appliance, you would perform the following steps:
Enter the crypto ca server command to access the Local CA Server Configuration mode CLI command
Step 1
set, which allows you to configure and manage a Local CA. An example follows:
hostname(config)# crypto ca server
hostname (config-ca-server)#
Step 2
As with the default Local CA server, you must specify the parameters that do not have defaults,
specifically the issuer-name command. An example follows:
hostname(config-ca-server)# issuer-name CN=xx5520,CN=30.132.0.25,ou=DevTest,ou=QA,O=ASC
Systems
hostname (config-ca-server)#
To customize the text that appears in the subject field of all e-mails sent from the Local CA server, use
Step 3
the smtp subject subject-line command as follows:
hostname (config-ca-server) # smtp subject Priority E-Mail: Enclosed Confidential
Information is Required for Enrollment
hostname (config-ca-server)#
OL-12172-03
Local CA Server Characteristic
Enabling the Local CA
Default Value
"Certificate Enrollment
Invitation"
Optional. No default. Supply a
subject-name default value.
14 days prior to expiration
24 hours
Server.
Cisco Security Appliance Command Line Configuration Guide
The Local CA
CLI Configuration
Command(s)
smtp subject
subject-name-default
renewal-reminder
enrollment-retrieval
39-19
Advertisement
Table of Contents
Troubleshooting
