Renewing Users; Revoking Certificates And Removing Or Restoring Users - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
The Local CA
Alternatively, you could specify the email address in step 2, and omit the crypto ca server user-db
e-mail-otp command. To view the one-time-password issued, use the crypto ca server user-db
show-otp command. You can use a separate show-otp command in order to communicate the OTP to the
user by other means
Once a user enrolls within the time limit with the correct OTP, the Local CA Server generates a keypair
for the user and a user certificate based on the public key from the keypair generated and the
subject-name DN specified with the DN field when the user is added or the subject-name-default setting
if not specified. The enrollment time limit is set with the otp-expiration command, and the expiration
date for the user certificate is specified during configuration with the lifetime certificate command.
Renewing Users
Renewing a user certificate is similar to the initial enrollment process. Each user certificate has an
expiration date, and Local CA automatically reminds the user by e-mail to renew before the time period
runs out. If a certificate expires, it becomes invalid. Renewal notices and the times they are e-mailed to
users are variable and can be configured by the administrator during Local CA server configuration.
To specify the timing of renewal notices, use the renewal-reminder command to specify the number of
days (1-90) prior to Local CA certificate expiration that an initial reminder to re-enroll is sent to
certificate owners.
hostname(config)# crypto ca server
hostname(config-ca-server)# renewal-reminder 7
hostname(config-ca-server)#
There are three reminders in all, and an automatic e-mail goes out to the certificate owner for each of the
three reminders, provided an e-mail address is specified in the user database. If no e-mail address exists
for the user, a syslog message alerts you of the renewal requirement.
The security appliance automatically grants certificate renewal privileges to any user who holds a valid
certificate that is about to expire provided the user still is in the user database. Therefore, if an
administrator does not want to allow a user to renew automatically, the user must be removed from the
database prior to the renewal time period.
Revoking Certificates and Removing or Restoring Users
Any time that user is to have a valid certificate revoked, use the crypto ca server revoke command to
mark the certificate as revoked in the certificate database on the CA server and in the CRL, which is
automatically reissued. To revoke a user certificate, enter the certificate serial number in hex format as
shown in the following example, which revokes the certificate with the serial number 782ea09f:
hostname(config-ca-server)## crypto ca server revoke 782ea09f
Certificate with the serial number 0x782ea09f has been revoked. A new CRL has been issued.
hostname(config-ca-server)#
Note that the CRL is regenerated automatically after the specified certificate is revoked.
To restore a user and unrevoke a previously revoked certificate issued by the Local CA server, use the
crypto ca server unrevoke command.
If you delete a user from the user database by username with the crypto ca server user-db remove
command, you are prompted to permit revocation of any valid certificates issued to the user.
Cisco Security Appliance Command Line Configuration Guide
39-30
Chapter 39
Configuring Certificates
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
