EasyManuals Logo
Home>Cisco>Firewall>FirePOWER ASA 5500 series

Cisco FirePOWER ASA 5500 series User Manual

Cisco FirePOWER ASA 5500 series
989 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #759 background imageLoading...
Page #759 background image
39-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 39 Configuring Certificates
Certificate Configuration
revocation-check—Sets one or more methods for revocation checking: CRL, OCSP, and none.
subject-name X.500 name—During enrollment, asks the CA to include the specified subject DN in
the certificate.
serial-number—During enrollment, asks the CA to include the security appliance serial number in
the certificate.
support-user-cert-validation—If enabled, the configuration settings to validate a remote user
certificate can be taken from this trustpoint, provided that this trustpoint is authenticated to the CA
that issued the remote certificate.
exit—Leaves the mode.
Step 4 Save the trustpoint configuration. To do so, save the running configuration by entering the write
memory command.
Obtaining Certificates
The security appliance needs a CA certificate for each trustpoint and one or two certificates for itself,
depending upon the configuration of the keys used by the trustpoint. If the trustpoint uses separate RSA
keys for signing and encryption, the security appliance needs two certificates, one for each purpose. In
other key configurations, only one certificate is needed.
The security appliance supports enrollment with SCEP and with manual enrollment, which lets you paste
a base-64-encoded certificate directly into the terminal. For site-to-site VPNs, you must enroll each
security appliance. For remote access VPNs, you must enroll each security appliance and each remote
access VPN client.
This section includes the following topics:
Obtaining Certificates with SCEP, page 39-9
Obtaining Certificates Manually, page 39-11
Obtaining Certificates with SCEP
This procedure provides steps for configuring certificates using SCEP. Repeat these steps for each
trustpoint you configure for automatic enrollment. When you have completed this procedure, the
security appliance will have received a CA certificate for the trustpoint and one or two certificates for
signing and encryption purposes. If you use general-purpose RSA keys, the certificate received is for
signing and encryption. If you use separate RSA keys for signing and encryption, the security appliance
receives separate certificates for each purpose.
Note Whether a trustpoint uses SCEP for obtaining certificates is determined by the use of the enrollment url
command when you configure the trustpoint (see the “Configuring Trustpoints” section on page 39-7).
To obtain certificates with SCEP, perform the following steps:
Step 1 Obtain the CA certificate for the trustpoint you configured.
hostname/contexta(config)# crypto ca authenticate trustpoint
For example, using trustpoint named Main, which represents a subordinate CA:

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco FirePOWER ASA 5500 series and is the answer not in the manual?

Cisco FirePOWER ASA 5500 series Specifications

General IconGeneral
BrandCisco
ModelFirePOWER ASA 5500 series
CategoryFirewall
LanguageEnglish

Related product manuals