Cisco ASA 5505 Configuration Manual page 751

Chapter 35 Configuring Digital Certificates
Click Apply to save the local CA certificate and key pair, so the configuration is not lost if you reboot
Step 3
the adaptive security appliance.
Step 4 To change or reconfigure the local CA after the local CA has been configured for the first time, you must
shut down the local CA server on the adaptive security appliance by clicking the Disable radio button.
In this state, the configuration and all associated files remain in storage and enrollment is disabled.
After the configured local CA has been enabled, the following two settings are display-only:
The Issuer Name field, which lists the issuer subject name and domain name, and is formed using
•
the username and the subject-name-default DN setting as cn=FQDN. The local CA server is the
entity that grants the certificate. The default certificate name is provided in the format,
cn=hostname.domainname.
The CA Server Key Size setting, which is used for the server certificate generated for the local CA
•
server. Key sizes can be 512, 768, 1024, or 2048 bits per key. The default is 1024 bits per key.
From the drop-down list, choose the client key size of the key pair to be generated for each user
Step 5
certificate issued by the local CA server. Key sizes can be 512, 768, 1024, or 2048 bits per key. The
default is 1024 bits per key.
Step 6 Enter the CA certificate lifetime value, which specifies the number of days that the CA server certificate
is valid. The default is 3650 days (10 years). Make sure that you limit the validity period of the certificate
to less than the recommended end date of 03:14:08 UTC, January 19, 2038.
The local CA server automatically generates a replacement CA certificate 30 days before expiration,
which enables the replacement certificate to be exported and imported onto any other devices for local
CA certificate validation of user certificates that have been issued by the local CA after they have
expired.
To notify users of the upcoming expiration, the following syslog message appears in the Latest ASDM
Syslog Messages pane:
%ASA-1-717049: Local CA Server certificate is due to expire in days days and a replacement
certificate is available for export.
Note
Step 7 Enter the client certificate lifetime value, which specifies the number of days that a user certificate issued
by the CA server is valid. The default is 365 days (one year). Make sure that you limit the validity period
of the certificate to less than the recommended end date of 03:14:08 UTC, January 19, 2038.
In the SMTP Server & Email Settings area, you set up e-mail access for the local CA server by specifying
the following settings:
Enter the SMTP mail server name or IP address. Alternatively, click the ellipses (...) to display the
a.
Browse Server Name/IP Address dialog box, where you can choose the server name or IP address.
Click OK when you are done to close the Browse Server Name/IP Address dialog box.
Enter the from address, from which to send e-mail messages to local CA users, in
b.
adminname@host.com format. Automatic e-mail messages carry one-time passwords to newly
enrolled users and issue e-mail messages when certificates need to be renewed or updated.
c. Enter the subject, which specifies the subject line in all messages that are sent to users by the local
CA server. If you do not specify a subject, the default is "Certificate Enrollment Invitation."
Step 8 To configure additional options, click the More Options drop-down arrow.
Step 9 Enter the CRL distribution point, which is the CRL location on the adaptive security appliance. The default
location is http://hostname.domain/+CSCOCA+/asa_ca.crl.
OL-20339-01
When notified of this automatic rollover, the administrator must take action to make sure that
the new local CA certificate is imported to all necessary devices before it expires.
Cisco ASA 5500 Series Configuration Guide using ASDM
Authenticating Using the Local CA
35-23