Chapter 39
Configuring Certificates
As shown in
security appliance and handles enrollment requests from web page users and CRL inquiries coming from
other certificate validating devices and security appliances. Local CA database and configuration files
are maintained either on the security appliance flash memory (default storage) or on a separate storage
device.
Figure 39-1
Note
Only one Local CA server can be resident on a security appliance at a time, and the Local CA cannot be
configured as a subordinate to an external CA.
Configuring the Local CA Server
This section describes how to configure the Local CA server on the security appliance and includes the
following topics:
•
•
•
The Default Local CA Server
The default Local CA server requires only a few configuration commands to set up with the following
characteristics. Once you use the crypto ca server command to access config-ca-server mode, all you
must specify are CLI commands described in the following steps:
Specify the SMTP (Simple Mail Transfer Protocol) from-address with the smtp from-address
Step 1
command. This command provides a valid e-mail address the Local CA uses as a from: address when
sending e-mails that deliver one-time passwords for an enrollment invitation to users.
OL-12172-03
Figure
39-1, the Local CA server, configurable from both CLI and ASDM, resides on the
User Enrollment Webpage
for PKCS12 Users Certificate
Enrollment and Retrieval
HTTP CRL retrieval
The Local Certificate Authority (CA)
The Default Local CA Server, page 39-17
Customizing the Local CA Server, page 39-19
Certificate Characteristics, page 39-20
ASDM and CLI
configuration and
management
Security Device
with Local CA
Configured
Local Database in flash memory
or Mounted external file system
Cisco Security Appliance Command Line Configuration Guide
The Local CA
(CIFS or FTP)
39-17