Cisco Security Appliance Command Line Configuration Guide
Chapter 33 Configuring Certificates
Local Certificate Authority
CA Server Key Size
The CA Key Size parameter is the size of the used for the server certificate generated for the Local CA
server. Key size can be 512, 768, 1024, or 2048 bits per key. The default size is 1024 bits per key.
Client Key Size
The Key Size field specifies the size of the key pair to be generated for each user certificate issued by
the Local CA server. Key size can be 512, 768, 1024, or 2048 bits per key. The default size is 1024 bits
per key.
CA Certificate Lifetime
The CA Certificate Lifetime field specifies the length of time in days that the CA server certificate is
valid. The default for the CA Certificate is 3650 days (10 years).
The Local CA Server automatically generates a replacement CA certificate 30 days prior to the CA
certificate expiration, allowing the replacement certificate to be exported and imported onto any other
devices for Local CA certificate validation of user certificates issued by the Local CA certificate after
expiration. The pre-expiration Syslog message:
%ASA-1-717049: Local CA Server certificate is due to expire in <days> days and a replace-
ment certificate is available for export.
Note When notified of this automatic rollover, the administrator must take action to ensure the new Local CA
certificate is imported to all necessary devices prior to expiration.
Client Certificate Lifetime
The Client Certificate Lifetime field specifies the length of time in days that a user certificate issued
by the CA server is valid. The default for the CA Certificate is 365 days (one year).
SMTP Server & Email Settings
To set up e-mail access for the Local CA server, you configure The Simple Mail Transfer Protocol
(SMTP) e-mail server, the e-mail address from which to send e-mails to Local CA users, and you specify
a standard subject line for Local CA e-mails.
• Server IP Address - The Server IP Address field requires the Local CA e-mail server’s IP address.
There is no default for the server IP address; you must supply the SMTP mail server IP address.
• From Address - The From Address field requires an e-mail address from which to send e-mails to
Local CA users. Automatic e-mail messages carry one-time passwords to newly enrolled users and
issue messages when certificates need to be renewed or updated. that issues Local CA user
certificate e-mail notices. There is no From Address default value; you are required to supply an
e-mail address in adminname@host.com format.
• Subject - The Subject field is a line of text specifying the subject line in all e-mails send to users by
the Local CA server. If you do not specify a subject field, the default inserted by the Local CA server
is “Certificate Enrollment Invitation”.
More Local CA Configuration Options
CRL Distribution Point URL
The Certificate Revocation List (CRL) Distribution Point (CDP) is the location of the CRL on the security
appliance. The default CRL DP location is http://hostname.domain/+CSCOCA+/asa_ca.crl.