Configuring the user certificate lifetime – Cisco ASA 5505 User Manual

Page 847

Advertising
background image

41-29

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 41 Configuring Digital Certificates

Configuring Digital Certificates

Configuring the User Certificate Lifetime

To configure the user certificate lifetime, perform the following steps:

Step 2

lifetime ca-certificate

time

Example:

hostname (config-ca-server)# lifetime ca-certificate

365

Determines the expiration date included in the
certificate. The default lifetime of a local CA
certificate is three years.

Make sure that you limit the validity period of the
certificate to less than the recommended end date of
03:14:08 UTC, January 19, 2038.

Step 3

no lifetime ca-certificate

Example:

hostname (config-ca-server)# no lifetime

ca-certificate

(Optional) Resets the local CA certificate lifetime to
the default value of three years.

The local CA server automatically generates a
replacement CA certificate 30 days before it expires,
which allows the replacement certificate to be
exported and imported onto any other devices for
certificate validation of user certificates that have
been issued by the local CA certificate after the
current local CA certificate has expired. The
following preexpiration syslog message is generated:

%ASA-1-717049: Local CA Server certificate is

due to expire in days days and a replacement

certificate is available for export.

Note

When notified of this automatic rollover, the
administrator must make sure that the new
local CA certificate is imported onto all
required devices before it expires.

Command

Purpose

Command

Purpose

Step 1

crypto ca server

Example:

hostname (config)# crypto ca server

Enters local CA server configuration mode. Allows
you to configure and manage a local CA.

Step 2

lifetime certificate

time

Example:

hostname (config-ca-server)# lifetime certificate

60

Sets the length of time that you want user certificates
to remain valid.

Note

Before a user certificate expires, the local CA
server automatically initiates certificate
renewal processing by granting enrollment
privileges to the user several days ahead of
the certificate expiration date, setting renewal
reminders, and delivering an e-mail message
that includes the enrollment username and
OTP for certificate renewal. Make sure that
you limit the validity period of the certificate
to less than the recommended end date of
03:14:08 UTC, January 19, 2038.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals