This procedure describes steps for generating a self-signed certificate for your ASA by entering the appropriate certificate field values in a wizard. You can generate as many self-signed certificates as you want.
To create a Self-Signed identity certificate object, perform the following steps:
Procedure
Step 1 | In the left pane, click Objects. |
Step 2 | Click and select ASA > Trustpoints. |
Step 3 | Enter an Object Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself. |
Step 4 | In the Identity Certificate step, select Identity Certificate. |
Step 5 | In the Import Type step, select New to upload the certificate file and click Continue. |
Step 6 | In the Enrollment step, select Self-Signed and click Continue. |
Step 7 | In the Certificate Contents step, configure the following:
-
Country (C)— Select the country code from the drop-down list.
-
State or Province (ST)—The state or province to include in the certificate.
-
Locality or City (L)—The locality to include in the certificate, such as the name of the city.
-
Organization (O)—The organization or company name to include in the certificate.
-
Organizational Unit (Department) (OU)—The name of the organization unit (for example, a department name) to include in the certificate.
-
Common Name (CN)—The X.500 common name to include in the certificate. This could be the name of the device, web site, or another text string. This element is usually required for successful connections. For example, you must include a CN in the internal certificate used for remote access VPN.
-
Email Address (EA)— The e-mail address associated with the identity certificate.
-
IP Address— The ASA IP address on the network in four-part, dotted-decimal notation.
-
Device's FQDN— An unambiguous domain name, to indicate the position of the node in the DNS tree hierarchy.
-
Include Device's Serial Number— Select the check box if you want to add the ASA serial number to the certificate parameters.
-
Click the Key tab.
-
Choose the RSA or ECDSA key type.
-
Key Size: If the key pair does not exist, defines the desired key size (modulus), in bits. The recommended key size for RSA is 1024 and for ECDSA is 348. The larger the modulus size, the more secure the key. However, keys with larger modulus sizes take longer to generate (a minute or more when larger than 512 bits) and longer to process when exchanged.
-
Click Continue.
|
Step 8 | In the Advanced Options step, you can configure the following:
In the Revocation tab, you can configure the following:
-
Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking.
By default the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate.
Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available.
-
Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking.
OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://.
Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension.
Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP.
-
Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable.
For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document.
|
Step 9 | Click Add. |