Configuring ca certificate map rules – Cisco ASA 5505 User Manual
Page 835
 
41-17
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 41 Configuring Digital Certificates
Configuring Digital Certificates
Configuring CA Certificate Map Rules
You can configure rules based on the Issuer and Subject fields of a certificate. Using the rules you create, 
you can map IPsec peer certificates to tunnel groups with the tunnel-group-map command. The ASA 
supports one CA certificate map, which can include many rules. 
To configure a CA certificate map rule, perform the following steps:
Command
Purpose
Step 1
crypto ca certificate map
sequence-number
Example:
hostname(config)# crypto ca certificate map 1
Enters CA certificate map configuration mode for the 
rule you want to configure and specifies the rule 
index number.
Step 2
issuer-name
DN-string
Example:
hostname(config-ca-cert-map)# issuer-name
cn=asa.example.com
Specifies the distinguished name of all issued 
certificates. which is also the subject-name DN of the 
self-signed CA certificate. Use commas to separate 
attribute-value pairs. Insert quotation marks around any 
value that includes a comma. An issuer-name must be 
less than 500 alphanumeric characters. The default 
issuer-name is cn=hostame.domain-name.
Step 3
subject-name attr
tag eq | co | ne | nc string
Example:
hostname(config-ca-cert-map)# subject-name attr cn
eq mycert
Specifies tests that the ASA can apply to values 
found in the Subject field of certificates. The tests 
can apply to specific attributes or to the entire field. 
You can configure many tests per rule, and all the 
tests you specify with these commands must be true 
for a rule to match a certificate. The following are 
valid operators:
•
eq—The field or attribute must be identical to the 
value given.
•
ne—The field or attribute cannot be identical to 
the value given.
•
co—Part or all of the field or attribute must 
match the value given.
•
nc—No part of the field or attribute can match 
the value given.
Step 4
write memory
Example:
hostname (config)# write memory
Saves the running configuration.