1-8
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Digital Certificates
  Guidelines and Limitations
• The authentication method, configured in the connection profile for your group policy, must be set 
to use both AAA and certificate authentication.
• An SSL port must be open for IKEv2 VPN connections.
• The CA must be in auto-grant mode.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
• Supported in single and multiple context mode for a local CA.
• Supported in single context mode only for third-party CAs.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Failover Guidelines
• Does not support replicating sessions in Stateful Failover.
• Does not support failover for local CAs.
IPv6 Guidelines
Does not support IPv6.
Additional Guidelines
• For ASAs that are configured as CA servers or clients, limit the validity period of the certificate to 
less than the recommended end date of 03:14:08 UTC, January 19, 2038. This guideline also applies 
to imported certificates from third-party vendors.
• You cannot configure the local CA when failover is enabled. You can only configure the local CA 
server for standalone ASAs without failover. For more information, see CSCty43366.
• When a certificate enrollment is completed, the ASA stores a PKCS12 file containing the user's 
keypair and certificate chain, which requires about 2 KB of flash memory or disk space per 
enrollment.  The actual amount of disk space depends on the configured RSA key size and certificate 
fields.  Keep this guideline in mind when adding a large number of pending certificate enrollments 
on an ASA with a limited amount of available flash memory, because these PKCS12 files are stored 
in flash memory for the duration of the configured enrollment retrieval timeout.
• The lifetime ca-certificate command takes effect when the local CA server certificate is first 
generated (that is, when you initially configure the local CA server and issue the no shutdown 
command). When the CA certificate expires, the configured lifetime value is used to generate the 
new CA certificate. You cannot change the lifetime value for existing CA certificates.
• You should configure the ASA to use an identity certificate to protect ASDM traffic and HTTPS 
traffic to the management interface. Identity certificates that are automatically generated with SCEP 
are regenerated after each reboot, so make sure that you manually install your own identity 
certificates. For an example of this procedure that applies only to SSL, see the following URL: 
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91
.shtml.