Cisco ASA 5505 User Manual

41-37

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 41 Configuring Digital Certificates

Configuring Digital Certificates

Step 4

crypto ca server user-db show-otp

Example:

hostname (config-ca-server)# crypto ca server

user-db show-otp

Shows the issued OTP.

Step 5

otp expiration

timeout

Example:

hostname (config-ca-server)# otp expiration 24

Sets the enrollment time limit in hours. The default
expiration time is 72 hours. The otp expiration
command defines the amount of time that the OTP is
valid for user enrollment. This time period begins
when the user is allowed to enroll.

After a user enrolls successfully within the time limit
and with the correct OTP, the local CA server creates
a PKCS12 file, which includes a keypair for the user
and a user certificate that is based on the public key
from the keypair generated and the subject-name DN
specified when the user is added. The PKCS12 file
contents are protected by a passphrase, the OTP. The
OTP can be handled manually, or the local CA can
e-mail this file to the user to download after the
administrator allows enrollment.

The PKCS12 file is saved to temporary storage with
the name, username.p12. With the PKCS12 file in
storage, the user can return within the
enrollment-retrieval time period to download the
PKCS12 file as many times as needed. When the time
period expires, the PKCS12 file is removed from
storage automatically and is no longer available to
download.

Note

If the enrollment period expires before the
user retrieves the PKCS12 file that includes
the user certificate, enrollment is not
permitted.

Command

Purpose