35-24
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 35 Configuring Digital Certificates
Authenticating Using the Local CA
Step 10 To make the CRL available for HTTP download on a given interface and port, choose a publish-CRL
interface from the drop-down list. Then enter the port number, which can be any port number from
1-65535. The default port number is TCP port 80.
Note You cannot rename the CRL; it always has the name, LOCAL-CA-SERVER.crl.
For example, enter the URL, http://10.10.10.100/user8/my_crl_file.
In this case, only the interface with
the specified IP address works and when the request comes in, the adaptive security appliance matches
the path, /user8/my_crl_file to the configured URL. When the path matches, the adaptive security
appliance returns the stored CRL file.
Step 11 Enter the CRL lifetime in hours that the CRL is valid. The default for the CA certificate is six hours.
The local CA updates and reissues the CRL each time that a user certificate is revoked or unrevoked, but
if no revocation changes occur, the CRL is reissued once every CRL lifetime. You can force an
immediate CRL update and regeneration by clicking Request CRL in the CA Certificates pane.
Step 12 Enter the database storage location to specify a storage area for the local CA configuration and data files.
The adaptive security appliance accesses and implements user information, issued certificates, and
revocation lists using a local CA database. Alternatively, to specify an external file, enter the path name
to the external file or click Browse to display the Database Storage Location dialog box.
Step 13 Choose the storage location from the list of folders that appears, and click OK.
Note Flash memory can store a database with 3500 users or less; a database of more than 3500 users
requires external storage.
Step 14 Enter a default subject (DN string) to append to a username on issued certificates. The permitted DN
attributes are provided in the following list:
• CN (Common Name)
• SN (Surname)
• O (Organization Name)
• L (Locality)
• C (Country)
• OU (Organization Unit)
• EA (E-mail Address)
• ST (State/Province)
• T (Title)
Step 15 Enter the number of hours for which an enrolled user can retrieve a PKCS12 enrollment file to enroll
and retrieve a user certificate. The enrollment period is independent of the OTP expiration period. The
default is 24 hours.
Note Certificate enrollment for the local CA is supported only for clientless SSL VPN connections.
For this type of connection, communications between the client and the adaptive security
appliance is through a web browser that uses standard HTML.
Step 16 Enter the length of time that a one-time password e-mailed to an enrolling user is valid. The default is
72 hours.
To Next Page
Loading...
Need help?
General
