Cisco ASA Series Cli Configuration Manual page 974

Configuring Digital Certificates
Renewing Users
To specify the timing of renewal notices, perform the following steps:
Command
Step 1
crypto ca server
Example:
hostname (config)# crypto ca server
Step 2
renewal-reminder time
Example:
hostname (config-ca-server)# renewal-reminder 7
Cisco ASA Series CLI Configuration Guide
1-38
Chapter 1 Configuring Digital Certificates
Purpose
Enters local ca server configuration mode. Allows
you to configure and manage a local CA.
Specifies the number of days (1-90) before the local
CA certificate expires that an initial reminder to
reenroll is sent to certificate owners. If a certificate
expires, it becomes invalid.
Renewal notices and the times they are e-mailed to
users are variable, and can be configured by the
administrator during local CA server configuration.
Three reminders are sent. An e-mail is automatically
sent to the certificate owner for each of the three
reminders, provided an e-mail address is specified in
the user database. If no e-mail address exists for the
user, a syslog message alerts you of the renewal
requirement.
The ASA automatically grants certificate renewal
privileges to any user who holds a valid certificate
that is about to expire, as long as the user still exists
in the user database. Therefore, if an administrator
does not want to allow a user to renew automatically,
the administrator must remove the user from the
database before the renewal time period.