Do you know how to configure the ASA as CA Server? You know the Cisco ASA can act as a Certificate Authority server an issue certificates to the VPN clients or other network devices.
The Cisco ASA only provides browser-based certificate enrollment.
Before to proceed with the configuration, make sure the time on your ASA is correct (Show clock) or use a NTP server to synchronize the time across your network devices.
We cannot specify the CA server name, because you can only have one instance of Local CA server running at the same time.
Under the Crypto ca server mode, we have multiple options explained as follows:
CA Server configuration commands:
- CDP-URL: Specifies the certificate revocation list distribution point to be included in the certificates issued by the CA.
- Database: Specifies a path or location for the local CA database. The default location is flash memory.
- Enrollment-retrieval: Specifies the time in hours that an enrolled user can retrieve a PKCS12 enrollment file.
- Issuer-name: Indicates that rule entry is applied to the issuer DN of the IPSec peer certificate.
- Keysize: Configure the size of keypair to generate for certificate enrollments for the local CA server.
- Lifetime CA-certificate: Specify the lifetime for the CA certificate.
- Lifetime certificate: Specify the lifetime for the user certificate.
- Lifetime CRL: Specify the lifetime for the CRL.
- OTP expiration: Specify the lifetime for the OTP expiration.
- Publish-CRL: Make the CRL available for download via HTTP on the specified interface.
- Renewal-reminder: Specify the time prior the CA certificate expiration, the ASA will notify the users via email.
- SMTP from address: Specify the email from which the notification will be sent to deliver the OTP password and enrollment invitations.
- SMTP subject: Customize the email subject.
- Subject-name-default: Specify an optional SUBJECT-NAME DN.
Basic ASA configuration as CA server
ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority
Equivalent CLI configuration.
ASA(config)# Crypto ca server
ASA(config-ca-server)# lifetime ca-certificate 100 ASA(config-ca-server)# lifetime certificate 30 ASA(config-ca-server)# smtp from-address email@example.com ASA(config-ca-server)# smtp subject Certificate enrollment ASA(config-ca-server)# keysize 2048 ASA(config-ca-server)# cdp-url http://cisco/+CSCOCA+/asa_ca.crl ASA(config-ca-server)# subject-name-default CN=BoB , O=Cisco, C= US ASA(config-ca-server)# no shutdown
Once the CA server has been enabled , we cannot do any modification to the configuration unless we shutdown the server.
Show and debugs commands:
- Debug crypto ca server
- Show crypto ca server
- Show crypto ca server cert-db
More information http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/cert_cfg.html
Original Guide From https://supportforums.cisco.com/document/12597006/how-configure-asa-ca-server
More Cisco and Network Guide
We talked about the Cisco Transceiver Modules a lot before, such as the S-Class Optics vs. Non-S-Class Optics, the CVR-X2-SFP10G & CVR-X2-SFP10G=, and the Cisco 10GBASE X2 Module & SFP Compatibility.
These are all the popular questions asked by customers. Here in this article we will continue to share the Cisco 6807-XL Slots issue put forwarded by Cisco users. What did they discuss about that? Let’s see the details…
The Question: “I want to choose 6807-XL as a core switch in my project, but I have question! Can I use 6 cards as a module and 1 as SUP 2T or I must use 5 Slots for modules cards?? Because I need One SUP 2T and I want to use the rest of 6 slots for module cards, Can I do that?”
…The pinouts between the module slots and sup slots are different. So slots 5 and 6 are reserved for sups and can't be used with regular modules.
So is there any model more than 7 slots from 6800 series?
Another Question: “There is a difference between X2-10GB-SR= and SFP-10G-SR= because I want to replace the WS-X6816-10G-2T card with C6800-32P10G-XL which can carry 32 ports 10G with One card so I can save one slot! Can I do that?”
…The Cisco 6807 is the larger chassis you can get on the 6800 series. As for 16 port 10Gig vs. 32 port 10Gig, you can defiantly use the 32 port 10gig module to solve the issue if not having enough slots for all your 10Gig interfaces. Also, you can enable VSS on the 6800 series to give you the redundancy you need without using HSRP/VRRP, etc...
“And but 16port 10Gig uses Pluggable transceivers X2-10GB-SR= and 32port 10Gig uses Pluggable transceivers SFP-10G-SR=?! Is there any difference between them? Or both them the same!”
You need the 16 port 10Gig SFP+ or the 32 port 10Gig SFP+
See this link for part numbers and descriptions:
C6800-16P10G, a 16-port 10-Gigabit Ethernet Fiber Module with DFC4, and C6800-16P10G-XL, a16-port 10-Gigabit Ethernet Fiber Module with DFC4XL
C6800-32P10G, a 32-port 10-Gigabit Ethernet Fiber Module with DFC4, and C6800-32P10G-XL, a 32-port 10-Gigabit Ethernet Fiber Module with DFC4XL
The difference between WS-X6816-10G-2T card and C6800-32P10G-XL?
X2 and SFP are different form factors. On some of these, you CAN get a twinGig adapter to convert an X2 into multiple SFP ports, but I don't think these can be 10G SFP+ (although it may be possible on the newer modules).
There shouldn't be a performance difference between SFP+ or X2. However, check the capability of the line card / chassis backplane - if you have 16 10G ports, make sure the line card plugged into supports what you expect. Remember, if all ports are 10G running flat out, your total backplane for that line card is 160G, unless it's between servers in the same VLAN connected to the same blade.
The original discussion from https://supportforums.cisco.com/discussion/12736701/6807-xl-slots-issue
What’s your opinion about the Cisco 6807-XL Slots issue? Welcome to share with us here…