Adding a Trusted CA Certificate Object

Obtain a trusted CA certificate from an external certificate authority, or create one using your own internal CA, for example, with OpenSSL tools. You can upload a file encoded in one of the following supported formats:

  • Distinguished Encoding Rules (DER)

  • Privacy-enhanced Electronic Mail (PEM)

Procedure


Step 1

In the left pane, click Objects.

Step 2

Click and select ASA > Trustpoints.

Step 3

Enter an Object Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself.

Step 4

In the Certificate Type step, select Trusted CA Certificate.

Step 5

In the Certificate Contents step, paste the certificate contents in the text box or upload the CA certificate file as explained in the wizard.

Step 6

Click Continue. The wizard advances to step 4.

The certificate must follow these guidelines:

  • The name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but ad.example.com in the certificate, the connection fails.

  • The certificate must be an X509 certificate in PEM or DER format.

  • The certificate you paste must include the BEGIN CERTIFICATE and END CERTIFICATE lines. For example:

    -----BEGIN CERTIFICATE-----
    MIIFgTCCA2mgAwIBAgIJANvdcLnabFGYMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
    BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGYXVzdGluMRQwEgYDVQQKDAsx
    OTIuMTY4LjEuMTEUMBIGA1UEAwwLMTkyLjE2OC4xLjEwHhcNMTYxMDI3MjIzNDE3
    WhcNMTcxMDI3MjIzNDE3WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzAN
    BgNVBAcMBmF1c3RpbjEUMBIGA1UECgwLMTkyLjE2OC4xLjExFDASBgNVBAMMCzE5
    Mi4xNjguMS4xMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5NceYwtP
    ES6Ve+S9z7WLKGX5JlF58AvH82GPkOQdrixn3FZeWLQapTpJZt/vgtAI2FZIK31h
    (...20 lines removed...)
    hbr6HOgKlOwXbRvOdksTzTEzVUqbgxt5Lwupg3b2ebQhWJz4BZvMsZX9etveEXDh
    PY184V3yeSeYjbSCF5rP71fObG9Iu6+u4EfHp/NQv9s9dN5PMffXKieqpuN20Ojv
    2b1sfOydf4GMUKLBUMkhQnip6+3W
    -----END CERTIFICATE-----

Step 7

In the Advanced Options step, you can configure the following:

In the Revocation tab, you can configure the following:

  • Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking.

    By default the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate.

    Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available.

  • Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking.

    OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://.

    Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension.

    Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP.

  • Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable.

    For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document.

Click the Others tab:

  • Use CA Certificate for the Validation of — Specify the type of connections that can be validated by this CA.

    • IPSec Client — Validates certificate presented by remote SSL servers.

    • SSL Client — Validates certificates presented by incoming SSL connections.

    • SSL Server — Validates certificates presented by incoming IPSec connections.

  • Other Options:

    • Enable CA flag in basic constraints extension — Select this option if you want to validate if the subject of the certificate is a CA using the basic constraints extension.

    • Accept certificates issued by this CA — Select this option to indicate that the ASA should accept certificates from the specified CA.

    • Accept certificates issued by the subordinates CAs of this CA — Select this option to indicate that the ASA should accept certificates from the subordinate CA.

    • Ignore IPSec Key Usage — Select this option if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default, this option is not enabled.

Step 8

Click Add.

This creates a trustpoint certificate object.