Crl Downloading; Enrolling Local Ca Users - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
The Local CA
hostname (config-ca-server)#lifetime crl 72
hostname(config-ca-server)#
If the cdp-url command is set to serve the CRL directly from the Local CA security appliance, use the
publish-crl CLI command to open a port on an interface to make the CRL accessible from that interface.
The publish-crl command is detailed in the following section.
CRL Downloading
To make the CRL available for HTTP download on a given interface or port, use the publish-crl
command in config-ca-server mode. The specified interface and port are used to listen for incoming
requests for the CRL. Interface options are:
The optional port option can be any port number in a range of 1-65535, and TCP port 80 is the HTTP
default port number. For example, to specify port 70 for outside access to the CRL, use the following
command:
hostname(config)# crypto ca server
hostname (config-ca-server)#publish-crl outside 70
hostname(config-ca-server)#
The CDP URL can be configured to utilize the IP address of an interface, and the path of the CDP URL
and the file name can be configured also. For example, the CDP URL could be configured to be:
http://10.10.10.100/user8/my_crl_file
In this case only the interface with that IP address configured listens for CRL requests, and when a
request comes in, the security appliance matches the path /user8/my_crl_file to the configured CDP
URL. When the path matches, the security appliance returns the CRL file stored in storage. Note that the
protocol must be http, so the prefix is http://.
If you do not specify a publish-crl command, the CRL is not accessible from the CDP location because
Note
the publish-crl command is required in order to open an interface for downloading the CRL file.
Enrolling Local CA Users
Each user who wishes to be enrolled as a Local CA user must be added to the Local CA server user
database. User enrollment is initiated by the Local CA administrator who adds new users to the database
with the crypto ca server user-db add command.
Next, the administrator issues a crypto ca server user-db allow... command, and, if email-OTP is
specified, the Local CA Server e-mails a one-time-password and username to the new user to enable
enrollment. The e-mail, an automatically generated message, contains the enrollment URL of the
security appliance.
Cisco Security Appliance Command Line Configuration Guide
39-24
inside
management
outside
Figure 39-2
shows a sample e-mail to a new user.
Chapter 39
name of interface
GigabitEthernet0/1
name of interface Management0/0
name of interface
GigabitEthernet0/0
Configuring Certificates
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
