Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8528
Views
5
Helpful
0
Comments

How to configure the ASA as CA server

rvarelac
Level 7
Level 7

on ‎09-02-2015 12:49 PM

ASA can act as a Certificate Authority server an issue certificates to the VPN clients  or other network devices. 

The ASA only provides  browser-based certificate enrollment.


Before to proceed with the configuration, make sure the time on your ASA is correct (Show clock) or use a NTP server to synchronize the time across your network devices.


We cannot specify the CA server name, because you can only have one instance of Local CA server running at the same time. 

Under the Crypto ca server mode , we have multiple options explained as follows:

CA Server configuration commands:

  • CDP-URL: Specifies the certificate revocation list distribution point to be include in the certificates issued by the CA. 
  •  Database:Specifies a path or location for the local CA database. The default location is flash memory.
  • Enrollment-retrieval:  Specifies the time in hours that an enrolled user can retrieve a PKCS12 enrollment file. 
  • Issuer-name: Indicates that rule entry is applied to the issuer DN of the IPSec peer certificate. 
  • Keysize :Configure the size of keypair to generate for certificate enrollments for the local CA server.
  • Lifetime  CA-certificate: Specify the lifetime for the CA certificate. 
  • Lifetime certificate: Specify the lifetime for the user certificate. 
  • Lifetime CRL: Specify the lifetime for the CRL. 
  • OTP expiration: Specify the lifetime for the OTP expiration. 
  • Publish-CRL: Make the CRL available for download via HTTP on the specified interface.
  • Renewal-reminder: Specify the time prior the CA certificate expiration, the ASA will notify the users via email. 
  • SMTP from address: Specify the email from which the notification will be sent to deliver the OTP password and enrollment invitations.
  • SMTP subject: Customize the email subject.
  • Subject-name-default: Specify an optional  SUBJECT-NAME DN. 

Basic ASA configuration as CA server 

ASDM  -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority 

Equivalent CLI configuration. 

ASA(config)# Crypto ca server

ASA(config-ca-server)# lifetime ca-certificate 100
ASA(config-ca-server)# lifetime certificate 30
ASA(config-ca-server)# smtp from-address admin@cisco.com
ASA(config-ca-server)# smtp subject Certificate enrollment
ASA(config-ca-server)#  keysize 2048
ASA(config-ca-server)# cdp-url http://cisco/+CSCOCA+/asa_ca.crl
ASA(config-ca-server)# subject-name-default CN=BoB , O=Cisco, C= US
ASA(config-ca-server)#  no shutdown 

Once the CA server has been enabled , we cannot do any modification to the configuration unless we shutdown the server.

Show and debugs commands:

  • Debug crypto ca server 
  • Show crypto ca server 
  • Show crypto ca server cert-db

More information

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/cert_cfg.html

Hope it helps

- Randy - 

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents