Chapter 39
Configuring Certificates
•
•
•
•
•
Save the trustpoint configuration. To do so, save the running configuration by entering the write
Step 4
memory command.
Obtaining Certificates
The security appliance needs a CA certificate for each trustpoint and one or two certificates for itself,
depending upon the configuration of the keys used by the trustpoint. If the trustpoint uses separate RSA
keys for signing and encryption, the security appliance needs two certificates, one for each purpose. In
other key configurations, only one certificate is needed.
The security appliance supports enrollment with SCEP and with manual enrollment, which lets you paste
a base-64-encoded certificate directly into the terminal. For site-to-site VPNs, you must enroll each
security appliance. For remote access VPNs, you must enroll each security appliance and each remote
access VPN client.
This section includes the following topics:
•
•
Obtaining Certificates with SCEP
This procedure provides steps for configuring certificates using SCEP. Repeat these steps for each
trustpoint you configure for automatic enrollment. When you have completed this procedure, the
security appliance will have received a CA certificate for the trustpoint and one or two certificates for
signing and encryption purposes. If you use general-purpose RSA keys, the certificate received is for
signing and encryption. If you use separate RSA keys for signing and encryption, the security appliance
receives separate certificates for each purpose.
Whether a trustpoint uses SCEP for obtaining certificates is determined by the use of the enrollment url
Note
command when you configure the trustpoint (see the
To obtain certificates with SCEP, perform the following steps:
Obtain the CA certificate for the trustpoint you configured.
Step 1
hostname/contexta(config)# crypto ca authenticate trustpoint
For example, using trustpoint named Main, which represents a subordinate CA:
OL-10088-01
revocation-check—Sets one or more methods for revocation checking: CRL, OCSP, and none.
subject-name X.500 name—During enrollment, asks the CA to include the specified subject DN in
the certificate.
serial-number—During enrollment, asks the CA to include the security appliance serial number in
the certificate.
support-user-cert-validation—If enabled, the configuration settings to validate a remote user
certificate can be taken from this trustpoint, provided that this trustpoint is authenticated to the CA
that issued the remote certificate.
exit—Leaves the mode.
Obtaining Certificates with SCEP, page 39-9
Obtaining Certificates Manually, page 39-11
"Configuring Trustpoints" section on page
Cisco Security Appliance Command Line Configuration Guide
Certificate Configuration
39-7).
39-9