1-9
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Digital Certificates
Configuring Digital Certificates
• The ASA and the AnyConnect clients can only validate certificates in which the X520Serialnumber
field (the serial number in the Subject Name) is in PrintableString format. If the serial number
format uses encoding such as UTF8, the certificate authorization will fail.
• Use only valid characters and values for the certificate parameters when you import them on the
ASA.
• To use a wildcard (*) symbol, make sure that you use encoding on the CA server that allows this
character in the string value. Although RFC 5280 recommends using either a UTF8String or
PrintableString, you should use UTF8String because PrintableString does not recognize the
wildcard as a valid character. The ASA rejects the imported certificate if an invalid character or
value is found during the import. For example:
ERROR: Failed to parse or verify imported certificate ciscoasa(config)# Read
162*HĂ·ytes as CA certificate:0U0= \Ivr"phĂ•V°3Ă©Â¼Ă¾0 CRYPTO_PKI(make trustedCerts list)
CERT-C: E ../cert-c/source/certlist.c(302) : Error #711h
CRYPTO_PKI: Failed to verify the ID certificate using the CA certificate in trustpoint
mm.
CERT-C: E ../cert-c/source/p7contnt.c(169) : Error #703h
crypto_certc_pkcs7_extract_certs_and_crls failed (1795):
crypto_certc_pkcs7_extract_certs_and_crls failed
CRYPTO_PKI: status = 1795: failed to verify or insert the cert into storage
Configuring Digital Certificates
This section describes how to configure local CA certificates. Make sure that you follow the sequence
of tasks listed to correctly configure this type of digital certificate. This section includes the following
topics:
• Configuring Key Pairs, page 1-10
• Removing Key Pairs, page 1-10
• Configuring Trustpoints, page 1-11
• Configuring CRLs for a Trustpoint, page 1-13
• Exporting a Trustpoint Configuration, page 1-15
• Importing a Trustpoint Configuration, page 1-16
• Configuring CA Certificate Map Rules, page 1-17
• Obtaining Certificates Manually, page 1-18
• Obtaining Certificates Automatically with SCEP, page 1-20
• Configuring Proxy Support for SCEP Requests, page 1-21
• Enabling the Local CA Server, page 1-22
• Configuring the Local CA Server, page 1-23
• Customizing the Local CA Server, page 1-25
• Debugging the Local CA Server, page 1-26
• Disabling the Local CA Server, page 1-26
• Deleting the Local CA Server, page 1-26
• Configuring Local CA Certificate Characteristics, page 1-27
To Next Page
Loading...
Need help?
General