Cisco PIX 500 Series Configuration Manual page 862

Certificate Configuration
As needed, specify other characteristics for the trustpoint. The characteristics you need to define depend
Step 3
upon your CA and its configuration. You can specify characteristics for the trustpoint using the following
commands. Refer to the Cisco Security Appliance Command Reference for complete descriptions and
usage guidelines of these commands.
• accept-subordinates—Indicates whether CA certificates subordinate to the CA associated with the
trustpoint are accepted if delivered during phase one IKE exchange when not previously installed
on the device.
crl required | optional | nocheck—Specifies CRL configuration options. When you enter the crl
•
command with the optional keyword included within the command statement, certificates from
peers can still be accepted by your security appliance even if the CRL is not accessible to your
security appliance.
Note
crl configure—Enters CRL configuration mode.
•
default enrollment—Returns all enrollment parameters to their system default values. Invocations
•
of this command do not become part of the active configuration.
email address—During enrollment, asks the CA to include the specified email address in the
•
Subject Alternative Name extension of the certificate.
enrollment retry period —(Optional) Specifies a retry period in minutes. This characteristic only
•
applies if you are using SCEP enrollment.
enrollment retry count—(Optional) Specifies a maximum number of permitted retries. This
•
characteristic only applies if you are using SCEP enrollment.
enrollment terminal—Specifies cut and paste enrollment with this trustpoint.
•
enrollment url URL—Specifies automatic enrollment (SCEP) to enroll with this trustpoint and
•
configures the enrollment URL.
fqdn fqdn—During enrollment, asks the CA to include the specified fully qualified domain name in
•
the Subject Alternative Name extension of the certificate.
id-cert-issuer—Indicates whether the system accepts peer certificates issued by the CA associated
•
with this trustpoint.
ip-address ip-address—During enrollment, asks the CA to include the IP address of the security
•
appliance in the certificate.
keypair name—Specifies the key pair whose public key is to be certified.
•
match certificate map—Configures OCSP URL overrides and trustpoints to use to validate OCSP
•
responder certificates
ocsp disable-nonce—Disable the nonce extension on an OCSP request; the nonce extension
•
cryptographically binds requests with responses to avoid replay attacks.
ocsp url—Configures an OCSP server for the security appliance to use to check all certificates
•
associated with a trustpoint rather than the server specified in the AIA extension of the client
certificate.
• password string—Specifies a challenge phrase that is registered with the CA during enrollment.
The CA typically uses this phrase to authenticate a subsequent revocation request.
Cisco Security Appliance Command Line Configuration Guide
39-8
If you chose to enable required or optional CRL checking, be sure you configure the
trustpoint for CRL managemen2t, which should be completed after you have obtained
certificates. For details about configuring CRL management for a trustpoint, see the
"Configuring CRLs for a Trustpoint" section on page
Chapter 39 Configuring Certificates
39-13.
OL-12172-03