Configuring Key Pairs - Cisco FirePOWER ASA 5500 series Configuration Manual

Certificate Configuration
To prepare a security appliance for certificates, perform the following steps:
Step 1 Ensure that the hostname and domain name of the security appliance are configured correctly. You can
use the show running-config command to view the hostname and domain name as currently configured.
For information about configuring the hostname, see the
For information about configuring the domain name, see the
page
Step 2 Be sure that the security appliance clock is set accurately before configuring the CA. Certificates have
a date and time that they become valid and that they expire. When the security appliance enrolls with a
CA and gets a certificate, the security appliance checks that the current time is within the valid range for
the certificate. If it is outside that range, enrollment fails.
For information about setting the clock, see the

Configuring Key Pairs

This section includes the following topics:
•
•
Generating Key Pairs
Key pairs are RSA keys, as discussed in the
key pairs for the types of certification you want to use.
To generate key pairs, perform the following steps:
Step 1 Generate the types of key pairs needed for your PKI implementation. To do so, perform the following
steps, as applicable:
a.
(Optional) Use the show crypto key mypubkey command to view key pair(s). The following example
Step 2
shows an RSA general-purpose key:
hostname/contexta(config)# show crypto key mypubkey
Key pair was generated at: 16:39:47 central Feb 10 2005
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
Cisco Security Appliance Command Line Configuration Guide
39-6
8-2.
Generating Key Pairs, page 39-6
Removing Key Pairs, page 39-7
If you want to generate RSA key pairs, use the crypto key generate rsa command.
hostname/contexta(config)# crypto key generate rsa
If you do not use additional keywords this command generates one general purpose RSA key pair.
Because the key modulus is not specified, the default key modulus of 1024 is used. You can specify
other modulus sizes with the modulus keyword. You can also assign a label to each key pair using
the label keyword. The label is referenced by the trustpoint that uses the key pair. If you do not
assign a label, the key pair is automatically labeled <Default-RSA-Key>.
hostname/contexta(config)# crypto key generate rsa label key-pair-label
"Setting the Hostname" section on page
"Setting the Domain Name" section on
"Setting the Date and Time" section on page
"About Key Pairs" section on page
Chapter 39 Configuring Certificates
8-2.
39-2. You must generate
OL-10088-01
8-2.