Cisco PIX 500 Series Configuration Manual page 872
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
The Local CA
For an optional subject-name DN appended to each username on issued certificates, specify the
Step 2
subject-name DN with the subject-name-default command. The subject-name DN and the username
combine to form the DN in all user certificates issued by the Local CA server. If you do not specify a
subject-name DN, you must specify the exact subject name DN to be included in a user certificate each
time you add a user to the user database.
The following example shows the few CLI commands required to configure and enable the Local CA
server when you are using the predefined default values for all required parameters.
hostname(config)# crypto ca server
hostname (config-ca-server) # smtp from-address SecurityAdmin@hostcorp.com
hostname (config-ca-server)# subject-name-default cn=engineer, o=asc Systems, c=US
hostname(config-ca-server)# no shutdown
All other required parameter values are the system defaults.
characteristics of the Local CA server, their pre-defined default values, and the CLI commands that
configure them.
Issuer-name and keysize server values cannot be changed after you enable the Local CA initially. Be
Note
sure to review all optional parameters carefully before you enable the configured Local CA.
Storage Location for database and
configuration
Certificate Issuer Name
Enabled/disabled. no-shutdown enables
the Local CA; shutdown disables it.
Access to config-ca-server mode and Local
CA server configuration commands
Issued certificate keypair size
Local CA Certificate key-pair size
Length of time a user certificate, server
certificate, or CRL is valid
Length of time a one-time password is valid Expires in 72 hrs. (three days)
Certificate Revocation List (CRL)
Distribution Point (CDP), the location of the
CRL on the Local CA security appliance or
on an external server
* E-mail address issuing Local CA e-mail
notices
Cisco Security Appliance Command Line Configuration Guide
39-18
Table 39-1
Local CA Server Characteristic
Table 39-1
Local CA Local CA Server Default Characteristics
Default Value
On-board flash memory in the
directory LOCAL-CA-SERVER.
cn=FQDN
No Local CA Server configured. shutdown vs. no
No server enabled
1024 bits per key
1024 bits per key
User Certificate=1 yr.; Server
Certificate=3 yrs.; CRL=6 hours
For a local CRL, the same as
security appliance,
http://hostname.domain/+CSCOC
A+/asa_ca.crl
Required. You must supply an
e-mail address as the default,
admin@FQDN, might not be an
actual address.
Chapter 39
Configuring Certificates
lists the configurable
CLI Configuration
Command(s)
mount
(global
config mode)
database path
issuer-name
shutdown (enables)
crypto ca server
keysize
keysize server
lifetime
otp-expiration
cdp-url
smtp from-address
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
