Cisco PIX 500 Series Configuration Manual page 875
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 39
Configuring Certificates
The issuer-name value cannot be changed after the initial enabling of the Local CA.
Note
CA Certificate Lifetime
You can specify the lifetime, the period of validity for the Local CA certificate, all issued user
certificates, or the CRL with the lifetime command. This command determines the expiration date
included in the certificate; the default lifetime of a Local CA certificate is three years.
Use the lifetime ca-certificate command to set the number of days that you want the Local CA server
certificate to remain valid as shown in the following example of configuring a Local CA certificate to
last for one year:
hostname(config)# crypto ca server
hostname (config-ca-server)#lifetime ca-certificate 365
hostname(config-ca-server)#
To reset the Local CA certificate lifetime to the default of three years during configuration, use the no
lifetime ca-certificate command. You can use the same command (or its no form) to specify (or reset)
the valid lifetime of user certificates (lifetime certificate...) and the CRL (lifetime crl...).
The Local CA Server automatically generates a replacement CA certificate 30 days prior to the CA
certificate expiration, allowing the replacement certificate to be exported and imported onto any other
devices for certificate validation of user certificates issued by the Local CA certificate after expiration
of the current Local CA certificate. The pre-expiration Syslog message:
%ASA-1-717049: Local CA Server certificate is due to expire in <days> days and a replace-
ment certificate is available for export.
Note
When notified of this automatic rollover, the administrator must take action to ensure the new Local CA
certificate is imported to all necessary devices prior to expiration.
User Certificate Lifetime
To set the number of days that you want user certificates to remain valid, use the lifetime certificate
command as shown in the following example of configuring all user certificates to be valid for two
months:
hostname(config)# crypto ca server
hostname (config-ca-server)#lifetime certificate 60
hostname(config-ca-server)#
Prior to a user certificate expiring, the Local CA server automatically initiates certificate renewal
processing by granting that user enrollment privileges a number of days ahead of the certificate
expiration, renewal-reminder setting, and by delivering an e-mail with the enrollment username and OTP
for renewal of the certificate.
CRL Lifetime
The Local CA updates and reissues the CRL every time a user certificate is revoked or unrevoked, but if
there are no revocation changes, the CRL is reissued automatically once every CRL lifetime, the period
of time you specify with the lifetime crl command during Local CA configuration. If you do not specify
a CRL lifetime, the default time period is six hours.
Use the lifetime crl command to set the number of hours that you want the certificate revocation list to
remain valid as shown in the following example:
OL-12172-03
Cisco Security Appliance Command Line Configuration Guide
The Local CA
39-21
Advertisement
Table of Contents
Troubleshooting
