35-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 35 Configuring Digital Certificates
Information About Digital Certificates
The local CA integrates an independent certificate authority feature on the adaptive security appliance,
deploys certificates, and provides secure revocation checking of issued certificates. The local CA
provides a secure, configurable, in-house authority for certificate authentication with user enrollment
through a website login page. For more information, see the “Authenticating Using the Local CA”
section on page 35-22, the “Managing User Certificates” section on page 35-28, and the “Managing the
User Database” section on page 35-25.
Note CA certificates and identity certificates apply to both site-to-site VPN connections and remote access
VPN connections. Procedures in this document refer to remote access VPN use in the ASDM GUI.
CAs are responsible for managing certificate requests and issuing digital certificates. A digital certificate
includes information that identifies a user or device, such as a name, serial number, company,
department, or IP address. A digital certificate also includes a copy of the public key for the user or
device. A CA can be a trusted third party, such as VeriSign, or a private (in-house) CA that you establish
within your organization.
This section includes the following topics:
• Public Key Cryptography, page 35-2
• Certificate Scalability, page 35-3
• Key Pairs, page 35-3
• Trustpoints, page 35-4
• Revocation Checking, page 35-4
• CRLs, page 35-4
• OCSP, page 35-5
• The Local CA Server, page 35-6
• Supported CA Servers, page 35-7
• Certificate Enrollment, page 35-7
• Storage for Local CA Files, page 35-8
Public Key Cryptography
Digital signatures, enabled by public key cryptography, provide a way to authenticate devices and users.
In public key cryptography, such as the RSA encryption system, each user has a key pair containing both
a public and a private key. The keys act as complements, and anything encrypted with one of the keys
can be decrypted with the other.
In simple terms, a signature is formed when data is encrypted with a private key. The signature is
attached to the data and sent to the receiver. The receiver applies the public key of the sender to the data.
If the signature sent with the data matches the result of applying the public key to the data, the validity
of the message is established.
This process relies on the receiver having a copy of the public key of the sender and a high degree of
certainty that this key belongs to the sender, not to someone pretending to be the sender.
Obtaining the public key of a sender is normally handled externally or through an operation performed
at installation. For example, most web browsers are configured with the root certificates of several CAs
by default. For VPN, the IKE protocol, a component of IPSec, can use digital signatures to authenticate
peer devices before setting up security associations.
To Next Page
Loading...
Need help?
General
