Defining Storage For Local Ca Files 39+\22; Default Flash Memory Data Storage 39+\22 - Cisco PIX 500 Series Configuration Manual

The Local CA
hostname(config)# crypto ca server
hostname (config-ca-server)#lifetime crl 10
hostname(config-ca-server)#
To force the issuance of a CRL at any time, you can use the crypto ca server crl issue command, which
immediately updates and regenerates a current CRL to overwrite the existing CRL. This command can
force the issuance of a CRL in any circumstances, such as a corrupt or destroyed CRL file.
This command displays a message indicating that the CRL is updated. An example follows:
hostname(config)# crypto ca server crl issue
A new CRL has been issued.
hostname(config)#
Note that it should never be necessary to use this command unless the CRL file is removed by mistake
or is corrupted and needs to be regenerated from scratch.
Server Keysize
The Local CA server keypair size can be configured independently of the user-issued certificate keypair
size. The keysize server command is used to configure the size of the Local CAs own keypair. The
keysize command specifies the size of the public and private keys generated at user-certificate
enrollment. The keysize server command is illustrated in the following example:
hostname(config)# crypto ca server
hostname(config-ca-server)# keysize server 2048
hostname(config-ca-server)#
For both the keysize command and the keysize server command, key-pair size options are 512, 768,
1024, 2048 bits, and both commands have default values of 1024 bits.
The Local CA keysize cannot be changed once the Local CA is enabled without deleting the Local CA
Note
and reconfiguring a new Local CA. This would invalidate all issued certificates.
Defining Storage for Local CA Files
The security appliance accesses and implements user information, issued certificates, revocation lists,
and so forth using a Local CA database. That database resides in local flash memory by default or can
be configured to be on an off-box file system that is mounted and accessible to the security appliance.
Default Flash Memory Data Storage
By default, the Local CA server database is stored in flash memory, a nonvolatile storage space that
stores the configuration and database files when the security appliance is powered down.
There are no limits on the number of users that can be in the Local CA user database; however, if flash
memory storage issues arise, syslogs are generated to alert the administrator to take action, and the Local
CA could be disabled until the storage problems are solved. Flash memory can store a database with
3500 users or less, but a database of more than 3500 users requires off-box storage.
Cisco Security Appliance Command Line Configuration Guide
39-22
Chapter 39 Configuring Certificates
OL-12172-03