Revoking certificates, Maintaining the local ca certificate database, Rolling over local ca certificates – Cisco ASA 5505 User Manual

41-40

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 41 Configuring Digital Certificates

Configuring Digital Certificates

Revoking Certificates

To revoke a user certificate, perform the following steps:

Maintaining the Local CA Certificate Database

To maintain the local CA certificate database, make sure that you save the certificate database file,
LOCAL-CA-SERVER.cdb, with the write memory command each time that a change to the database
occurs. The local CA certificate database includes the following files:

•

The LOCAL-CA-SERVER.p12 file is the archive of the local CA certificate and keypair that is
generated when the local CA server is initially enabled.

•

The LOCAL-CA-SERVER.crl file is the actual CRL.

•

The LOCAL-CA-SERVER.ser file keeps track of the issued certificate serial numbers.

Rolling Over Local CA Certificates

Thirty days before the local CA certificate expires, a rollover replacement certificate is generated, and a
syslog message informs the administrator that it is time for local CA rollover. The new local CA
certificate must be imported onto all necessary devices before the current certificate expires. If the
administrator does not respond by installing the rollover certificate as the new local CA certificate,
validations may fail.

The local CA certificate rolls over automatically after expiration using the same keypair. The rollover
certificate is available for export in base 64 format.

Examples

The following example shows a base 64 encoded local CA certificate:

MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc+MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAMIIXHAYJKo

ZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIjph4SxJoyTgCAQGAghbw3v4bFy+GGG2dJnB4OLphsUM+IG3SDOiDwZG9

n1SvtMieoxd7Hxknxbum06JDrujWKtHBIqkrm+td34qlNE1iGeP2YC94/NQ2z+4kS+uZzwcRhl1KEZTS1E4L0fSaC3

uMTxJq2NUHYWmoc8pi4CIeLj3h7VVMy6qbx2AC8I+q57+QG5vG5l5Hi5imwtYfaWwPEdPQxaWZPrzoG1J8BFqdPa1j

BGhAzzuSmElm3j/2dQ3Atro1G9nIsRHgV39fcBgwz4fEabHG7/Vanb+fj81d5nlOiJjDYYbP86tvbZ2yOVZR6aKFVI

0b2AfCr6PbwfC9U8Z/aF3BCyM2sN2xPJrXva94CaYrqyotZdAkSYA5KWScyEcgdqmuBeGDKOncTknfgy0XM+fG5rb3

qAXy1GkjyFI5Bm9Do6RUROoG1DSrQrKeq/hj….

Command

Purpose

Step 1

crypto ca server

Example:

hostname (config)# crypto ca server

Enters local ca server configuration mode. Allows
you to configure and manage a local CA.

Step 2

crypto ca server revoke

cert-serial-no

Example:

hostname (config-ca-server)# crypto ca server revoke

782ea09f

Enters the certificate serial number in hexadecimal
format. Marks the certificate as revoked in the
certificate database on the local CA server and in the
CRL, which is automatically reissued.

Note

The password is also required if the
certificate for the ASA needs to be revoked,
so make sure that you record it and store it in
a safe place.