Cisco ASA 5505 Configuration Manual page 750

Authenticating Using the Local CA
What to Do Next
See the
Authenticating Using the Local CA
The local CA provides a secure, configurable in-house authority that resides on the adaptive security
appliance for certificate authentication to use with browser-based and client-based SSL VPN
connections.
Users enroll by logging in to a specified website. The local CA integrates basic certificate authority
operations on the adaptive security appliance, deploys certificates, and provides secure revocation
checking of issued certificates.
The local CA lets you perform the following tasks:
•
•
•
•
This section includes the following topics:
•
•
Configuring the Local CA Server
To configure a local CA server on the adaptive security appliance, perform the following steps:
In the CA Server pane, to activate the local CA server, click the Enable radio button. The default is
Step 1
disabled. After you enable the local CA server, the adaptive security appliance generates the local CA
server certificate, key pair, and necessary database files, and then archives the local CA server certificate
and key pair in a PKCS12 file.
Note
The self-signed certificate key usage extension enables key encryption, key signature, CRL signature,
and certificate signature.
When you enable the local CA for the first time, you must provide an alphanumeric Enable passphrase,
Step 2
which must have a minimum of seven, alphanumeric characters. The passphrase protects the local CA
certificate and the local CA certificate key pair archived in storage, and secures the local CA server from
unauthorized or accidental shutdown. The passphrase is required to unlock the PKCS12 archive if the
local CA certificate or key pair is lost and must be restored.
Note
Cisco ASA 5500 Series Configuration Guide using ASDM
35-22
"Authenticating Using the Local CA" section on page
Configure the local CA server.
Revoke and unrevoke local CA certificates.
Update CRLs.
Add, edit, and delete local CA users.
Configuring the Local CA Server, page 35-22
Deleting the Local CA Server, page 35-25
Be sure to review all optional settings carefully before you enable the configured local CA. After
you enable it, the certificate issuer name and key size server values cannot be changed.
The Enable passphrase is required to enable the local CA server. Be sure to keep a record of the
Enable passphrase in a safe location.
Chapter 35 Configuring Digital Certificates
35-22.
OL-20339-01