ASA can act as a Certificate Authority server an issue certificates to the VPN clients or other network devices.
The ASA only provides browser-based certificate enrollment.
Before to proceed with the configuration, make sure the time on your ASA is correct (Show clock) or use a NTP server to synchronize the time across your network devices.
We cannot specify the CA server name, because you can only have one instance of Local CA server running at the same time.
Under the Crypto ca server mode , we have multiple options explained as follows:
CA Server configuration commands:
- CDP-URL: Specifies the certificate revocation list distribution point to be include in the certificates issued by the CA.
- Database:Specifies a path or location for the local CA database. The default location is flash memory.
- Enrollment-retrieval: Specifies the time in hours that an enrolled user can retrieve a PKCS12 enrollment file.
- Issuer-name: Indicates that rule entry is applied to the issuer DN of the IPSec peer certificate.
- Keysize :Configure the size of keypair to generate for certificate enrollments for the local CA server.
- Lifetime CA-certificate: Specify the lifetime for the CA certificate.
- Lifetime certificate: Specify the lifetime for the user certificate.
- Lifetime CRL: Specify the lifetime for the CRL.
- OTP expiration: Specify the lifetime for the OTP expiration.
- Publish-CRL: Make the CRL available for download via HTTP on the specified interface.
- Renewal-reminder: Specify the time prior the CA certificate expiration, the ASA will notify the users via email.
- SMTP from address: Specify the email from which the notification will be sent to deliver the OTP password and enrollment invitations.
- SMTP subject: Customize the email subject.
- Subject-name-default: Specify an optional SUBJECT-NAME DN.
Basic ASA configuration as CA server
ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority
Equivalent CLI configuration.
ASA(config)# Crypto ca server
ASA(config-ca-server)# lifetime ca-certificate 100
ASA(config-ca-server)# lifetime certificate 30
ASA(config-ca-server)# smtp from-address admin@cisco.com
ASA(config-ca-server)# smtp subject Certificate enrollment
ASA(config-ca-server)# keysize 2048
ASA(config-ca-server)# cdp-url http://cisco/+CSCOCA+/asa_ca.crl
ASA(config-ca-server)# subject-name-default CN=BoB , O=Cisco, C= US
ASA(config-ca-server)# no shutdown
Once the CA server has been enabled , we cannot do any modification to the configuration unless we shutdown the server.
Show and debugs commands:
- Debug crypto ca server
- Show crypto ca server
- Show crypto ca server cert-db
More information
http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/cert_cfg.html
Hope it helps
- Randy -