Cisco ASA 5505 Configuration Manual page 752

Authenticating Using the Local CA
To make the CRL available for HTTP download on a given interface and port, choose a publish-CRL
Step 10
interface from the drop-down list. Then enter the port number, which can be any port number from
1-65535. The default port number is TCP port 80.
Note
For example, enter the URL, http://10.10.10.100/user8/my_crl_file. In this case, only the interface with
the specified IP address works and when the request comes in, the adaptive security appliance matches
the path, /user8/my_crl_file to the configured URL. When the path matches, the adaptive security
appliance returns the stored CRL file.
Enter the CRL lifetime in hours that the CRL is valid. The default for the CA certificate is six hours.
Step 11
The local CA updates and reissues the CRL each time that a user certificate is revoked or unrevoked, but
if no revocation changes occur, the CRL is reissued once every CRL lifetime. You can force an
immediate CRL update and regeneration by clicking Request CRL in the CA Certificates pane.
Enter the database storage location to specify a storage area for the local CA configuration and data files.
Step 12
The adaptive security appliance accesses and implements user information, issued certificates, and
revocation lists using a local CA database. Alternatively, to specify an external file, enter the path name
to the external file or click Browse to display the Database Storage Location dialog box.
Choose the storage location from the list of folders that appears, and click OK.
Step 13
Note
Enter a default subject (DN string) to append to a username on issued certificates. The permitted DN
Step 14
attributes are provided in the following list:
CN (Common Name)
•
SN (Surname)
•
O (Organization Name)
•
L (Locality)
•
C (Country)
•
• OU (Organization Unit)
• EA (E-mail Address)
• ST (State/Province)
T (Title)
•
Enter the number of hours for which an enrolled user can retrieve a PKCS12 enrollment file to enroll
Step 15
and retrieve a user certificate. The enrollment period is independent of the OTP expiration period. The
default is 24 hours.
Note
Enter the length of time that a one-time password e-mailed to an enrolling user is valid. The default is
Step 16
72 hours.
Cisco ASA 5500 Series Configuration Guide using ASDM
35-24
You cannot rename the CRL; it always has the name, LOCAL-CA-SERVER.crl.
Flash memory can store a database with 3500 users or less; a database of more than 3500 users
requires external storage.
Certificate enrollment for the local CA is supported only for clientless SSL VPN connections.
For this type of connection, communications between the client and the adaptive security
appliance is through a web browser that uses standard HTML.
Chapter 35 Configuring Digital Certificates
OL-20339-01