hit counter script

Cisco FirePOWER ASA 5500 series Configuration Manual page 758

Security appliance command line
Hide thumbs Also See for FirePOWER ASA 5500 series:
Table of Contents

Advertisement

Certificate Configuration
As needed, specify other characteristics for the trustpoint. The characteristics you need to define depend
Step 3
upon your CA and its configuration. You can specify characteristics for the trustpoint using the following
commands. Refer to the Cisco Security Appliance Command Reference for complete descriptions and
usage guidelines of these commands.
accept-subordinates—Indicates whether CA certificates subordinate to the CA associated with the
trustpoint are accepted if delivered during phase one IKE exchange when not previously installed
on the device.
crl required | optional | nocheck—Specifies CRL configuration options. When you enter the crl
command with the optional keyword included within the command statement, certificates from
peers can still be accepted by your security appliance even if the CRL is not accessible to your
security appliance.
Note
crl configure—Enters CRL configuration mode.
default enrollment—Returns all enrollment parameters to their system default values. Invocations
of this command do not become part of the active configuration.
email address—During enrollment, asks the CA to include the specified email address in the
Subject Alternative Name extension of the certificate.
enrollment retry period —(Optional) Specifies a retry period in minutes. This characteristic only
applies if you are using SCEP enrollment.
enrollment retry count—(Optional) Specifies a maximum number of permitted retries. This
characteristic only applies if you are using SCEP enrollment.
enrollment terminal—Specifies cut and paste enrollment with this trustpoint.
enrollment url URL—Specifies automatic enrollment (SCEP) to enroll with this trustpoint and
configures the enrollment URL.
fqdn fqdn—During enrollment, asks the CA to include the specified fully qualified domain name in
the Subject Alternative Name extension of the certificate.
id-cert-issuer—Indicates whether the system accepts peer certificates issued by the CA associated
with this trustpoint.
ip-address ip-address—During enrollment, asks the CA to include the IP address of the security
appliance in the certificate.
keypair name—Specifies the key pair whose public key is to be certified.
match certificate map—Configures OCSP URL overrides and trustpoints to use to validate OCSP
responder certificates
ocsp disable-nonce—Disable the nonce extension on an OCSP request; the nonce extension
cryptographically binds requests with responses to avoid replay attacks.
ocsp url—Configures an OCSP server for the security appliance to use to check all certificates
associated with a trustpoint rather than the server specified in the AIA extension of the client
certificate.
password string—Specifies a challenge phrase that is registered with the CA during enrollment.
The CA typically uses this phrase to authenticate a subsequent revocation request.
Cisco Security Appliance Command Line Configuration Guide
39-8
If you chose to enable required or optional CRL checking, be sure you configure the
trustpoint for CRL managemen2t, which should be completed after you have obtained
certificates. For details about configuring CRL management for a trustpoint, see the
"Configuring CRLs for a Trustpoint" section on page
Chapter 39
Configuring Certificates
39-13.
OL-10088-01

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Pix 500 seriesCisco asa 5500 series

Table of Contents