39-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 39 Configuring Certificates
Certificate Configuration
where n is the number of minutes. For example, to specify that CRLs should be cached for seven hours,
enter the following command.
hostname/contexta(config-ca-crl)# cache-time 420
Step 8 Configure whether the security appliance requires the NextUpdate field in CRLs. For more information
about how the security appliance uses the NextUpdate field, see the “About CRLs” section on page 39-3.
Do one of the following:
• To require the NextUpdate field, enter the enforcenextupdate command. This is the default setting.
• To allow the NextUpdate field to be absent in CRLs, enter the no enforcenextupdate command.
Step 9 If you specified LDAP as the retrieval protocol, perform the following steps:
a. Enter the following command to identify the LDAP server to the security appliance:
hostname/contexta(config-ca-crl)# ldap-defaults server
You can specify the server by DNS hostname or by IP address. You can also provide a port number
if the server listens for LDAP queries on a port other than the default of 389. For example, the
following command configures the security appliance to retrieve CRLs from an LDAP server whose
hostname is ldap1.
hostname/contexta(config-ca-crl)# ldap-defaults ldap1
Note If you use a hostname rather than an IP address to specify the LDAP server, be sure you have
configured the security appliance to use DNS. For information about configuring DNS, see
the dns commands in the Cisco Security Appliance Command Reference.
b. If LDAP server requires credentials to permit CRL retrieval, enter the following command:
hostname/contexta(config-ca-crl)# ldap-dn admin-DN password
For example:
hostname/contexta(config-ca-crl)# ldap-dn cn=admin,ou=devtest,o=engineering c00lRunZ
Step 10 To test CRL configuration for the current trustpoint, use the crypto ca crl request command. This
command retrieves the current CRL from the CA represented by the trustpoint you specify.
Step 11 Save the running configuration. Enter the write memory command.
Exporting and Importing Trustpoints
You can export and import keypairs and issued certificates associated with a trustpoint configuration.
The security appliance supports PKCS12 format for the export and import of trustpoints.
This section includes the following topics:
• Exporting a Trustpoint Configuration, page 39-15
• Importing a Trustpoint Configuration, page 39-15
To Next Page
Loading...
Need help?
General