1-40
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Digital Certificates
  Configuring Digital Certificates
Revoking Certificates 
To revoke a user certificate, perform the following steps:
Maintaining the Local CA Certificate Database
To maintain the local CA certificate database, make sure that you save the certificate database file, 
LOCAL-CA-SERVER.cdb, with the write memory command each time that a change to the database 
occurs. The local CA certificate database includes the following files:
• The LOCAL-CA-SERVER.p12 file is the archive of the local CA certificate and keypair that is 
generated when the local CA server is initially enabled. 
• The LOCAL-CA-SERVER.crl file is the actual CRL. 
• The LOCAL-CA-SERVER.ser file keeps track of the issued certificate serial numbers.
Rolling Over Local CA Certificates 
Thirty days before the local CA certificate expires, a rollover replacement certificate is generated, and a 
syslog message informs the administrator that it is time for local CA rollover. The new local CA 
certificate must be imported onto all necessary devices before the current certificate expires. If the 
administrator does not respond by installing the rollover certificate as the new local CA certificate, 
validations may fail.
The local CA certificate rolls over automatically after expiration using the same keypair. The rollover 
certificate is available for export in base 64 format. 
Examples
The following example shows a base 64 encoded local CA certificate:
MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc+MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAMIIXHAYJKo
ZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIjph4SxJoyTgCAQGAghbw3v4bFy+GGG2dJnB4OLphsUM+IG3SDOiDwZG9
n1SvtMieoxd7Hxknxbum06JDrujWKtHBIqkrm+td34qlNE1iGeP2YC94/NQ2z+4kS+uZzwcRhl1KEZTS1E4L0fSaC3
uMTxJq2NUHYWmoc8pi4CIeLj3h7VVMy6qbx2AC8I+q57+QG5vG5l5Hi5imwtYfaWwPEdPQxaWZPrzoG1J8BFqdPa1j
BGhAzzuSmElm3j/2dQ3Atro1G9nIsRHgV39fcBgwz4fEabHG7/Vanb+fj81d5nlOiJjDYYbP86tvbZ2yOVZR6aKFVI
0b2AfCr6PbwfC9U8Z/aF3BCyM2sN2xPJrXva94CaYrqyotZdAkSYA5KWScyEcgdqmuBeGDKOncTknfgy0XM+fG5rb3
qAXy1GkjyFI5Bm9Do6RUROoG1DSrQrKeq/hj….
Command Purpose
Step 1
crypto ca server
Example:
hostname (config)# crypto ca server
Enters local ca server configuration mode. Allows 
you to configure and manage a local CA.
Step 2
crypto ca server revoke cert-serial-no
Example:
hostname (config-ca-server)# crypto ca server revoke 
782ea09f
Enters the certificate serial number in hexadecimal 
format. Marks the certificate as revoked in the 
certificate database on the local CA server and in the 
CRL, which is automatically reissued.
Note The password is also required if the 
certificate for the ASA needs to be revoked, 
so make sure that you record it and store it in 
a safe place.