/fdata%2F4342478%2Favatar-blog-1220564847-tmpphp5wM7ph.png){kind=avatar}
Configuring the ASA as CA Server
ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority
Do you know how to configure the ASA as CA Server? You know the Cisco ASA can act as a Certificate Authority server an issue certificates to the VPN clients or other network devices.
The Cisco ASA only provides browser-based certificate enrollment.
Before to proceed with the configuration, make sure the time on your ASA is correct (Show clock) or use a NTP server to synchronize the time across your network devices.
We cannot specify the CA server name, because you can only have one instance of Local CA server running at the same time.
Under the Crypto ca server mode, we have multiple options explained as follows:
CA Server configuration commands:
- CDP-URL: Specifies the certificate revocation list distribution point to be included in the certificates issued by the CA.
- Database: Specifies a path or location for the local CA database. The default location is flash memory.
- Enrollment-retrieval: Specifies the time in hours that an enrolled user can retrieve a PKCS12 enrollment file.
- Issuer-name: Indicates that rule entry is applied to the issuer DN of the IPSec peer certificate.
- Keysize: Configure the size of keypair to generate for certificate enrollments for the local CA server.
- Lifetime CA-certificate: Specify the lifetime for the CA certificate.
- Lifetime certificate: Specify the lifetime for the user certificate.
- Lifetime CRL: Specify the lifetime for the CRL.
- OTP expiration: Specify the lifetime for the OTP expiration.
- Publish-CRL: Make the CRL available for download via HTTP on the specified interface.
- Renewal-reminder: Specify the time prior the CA certificate expiration, the ASA will notify the users via email.
- SMTP from address: Specify the email from which the notification will be sent to deliver the OTP password and enrollment invitations.
- SMTP subject: Customize the email subject.
- Subject-name-default: Specify an optional SUBJECT-NAME DN.
Basic ASA configuration as CA server
ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority
...
Equivalent CLI configuration.
ASA(config)# Crypto ca server
ASA(config-ca-server)# lifetime ca-certificate 100 ASA(config-ca-server)# lifetime certificate 30 ASA(config-ca-server)# smtp from-address admin@cisco.com ASA(config-ca-server)# smtp subject Certificate enrollment ASA(config-ca-server)# keysize 2048 ASA(config-ca-server)# cdp-url http://cisco/+CSCOCA+/asa_ca.crl ASA(config-ca-server)# subject-name-default CN=BoB , O=Cisco, C= US ASA(config-ca-server)# no shutdown
Once the CA server has been enabled , we cannot do any modification to the configuration unless we shutdown the server.
Show and debugs commands:
- Debug crypto ca server
- Show crypto ca server
- Show crypto ca server cert-db
More information http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/cert_cfg.html
Original Guide From https://supportforums.cisco.com/document/12597006/how-configure-asa-ca-server
More Cisco and Network Guide
Cisco ACLs In and Out on Cisco ASA
Cisco ASA Failover, Failover Modes & ASA Failover Configuration
Cisco ASA IPS Module Configuration
Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
/image%2F1490247%2F20190117%2Fob_9629a3_new-cisco-9000-family-members.png)
/image%2F1490247%2F20181221%2Fob_c62717_explore-the-nexus-400g-portfolio.png)
/image%2F1490247%2F20181127%2Fob_43ede7_cisco-catalyst-9800-series-wlc.jpg)
/image%2F1490247%2F20181026%2Fob_214c75_cisco-ie-series-switches.png)
