The Local Ca - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
The Local CA
To configure a CA certificate map rule, perform the following steps:
Step 1
Enter CA certificate map configuration mode for the rule you want to configure. To do so, enter the
crypto ca certificate map command and specify the rule index number. The following example
enters CA certificate map mode for the rule with index number 1.
hostname(config)# crypto ca certificate map 1
hostname(config-ca-cert-map)#
Use the issuer-name and subject-name commands to configure the rule. These commands specify tests
Step 2
that the security appliance can apply to values found in the Issuer or Subject fields of certificates. The
tests can apply to specific attributes or to the whole of the Issuer or Subject fields. You can configure
many tests per rule, and all the tests you specify with these commands must be true for a rule to match
a certificate. Valid operators in the issuer-name and subject-name commands are as follows.
Operator
eq
ne
co
nc
For more information about the issuer-name and subject-name commands, see the Cisco Security
Appliance Command Reference.
The following example specifies that any attribute within the Issuer field must contain the string ASC:
hostname(config-ca-cert-map)# issuer-name co asc
hostname(config-ca-cert-map)#
The following example specifies that within the Subject field an Organizational Unit attribute must
exactly match the string Engineering.
hostname(config-ca-cert-map)# subject-name attr ou eq Engineering
hostname(config-ca-cert-map)#
Map rules appear in the output of the show running-config command.
crypto ca certificate map 1
issuer-name co asc
subject-name attr ou eq Engineering
Step 3
When you have finished configuring the map rule, save your work. Enter the write memory command.
The Local CA
The Local Certificate Authority (Local CA) integrates a basic certificate authority functionality on the
security appliance, deploys certificates, and provides secure revocation checking of issued certificates.
The Local CA provides trusted digital certificates to users, without the need to rely on external certificate
authorization.
The Local CA provides a secure inhouse authority for certificate authentication and offers
straightforward user enrollment by means of a browser webpage login. Once you configure a Local CA
server on the security appliance, users can enroll for a certificate by visiting a specified browser-based
enrollment page and entering a username and a one-time password that is provided by the Local CA
administrator to validate their eligibility for enrollment.
Cisco Security Appliance Command Line Configuration Guide
39-16
Meaning
The field or attribute must be identical to the value given.
The field or attribute cannot be identical to the value given.
Part or all of the field or attribute must match the value given.
No part of the field or attribute can match the value given.
Chapter 39
Configuring Certificates
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
