Enrollment Requirements 39+\26 - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
The Local CA
Each unique OTP has a configurable window of time in which it can be used to retrieve a certificate. If
the OTP expiration period expires before the user retrieves the PKCS12 enrollment file that contains the
user certificate, enrollment is not permitted. The otp expiration command defines the amount of time
the OTP is valid for user enrollment.
The enrollment-retrieval command specifies the time in hours that an enrolled user can retrieve a
certificate. An example of setting up enrollment parameters follows:
Enter the crypto ca server command to access the Local CA Server Configuration mode. An example
Step 1
follows:
hostname(config)# crypto ca server
hostname (config-ca-server)#
Specify the number of hours (24) that an issued One-Time Password (OTP) for the local Certificate
Step 2
Authority (CA) enrollment page is valid with the otp expiration command. This time period begins
when the user is allowed to enrol. The default expiration time of 72 hours can be changed to 24 as
follows:
hostname(config-ca-server)
hostname(config-ca-server)
The user OTP for enrolling for a certificate with the enrollment interface page is also used as the
Note
password to unlock the PKCS12 file containing that user's issued certificate and keypair.
Specify the number of hours an already-enrolled user can retrieve a PKCS12 enrollment file with the
Step 3
enrollment-retrieval command. This time period begins when the user is successfully enrolled. This
command modifies the default 24-hours retrieval period to any value between one and 720 hours. Note
that enrollment retrieval period is independent of the OTP expiration period. The following example sets
the retrieval time to 120 hours (five days).
hostname(config)# crypto ca server
hostname(config-ca-server)# enrollment-retrieval 120
hostname(config-ca-server)#
After the enrollment-retrieval time expires, the user certificate and keypair are no longer available, the
only way for the user to received a certificate is for the administrator to reinitialize certificate enrollment
by allowing the user again.
For the CLI commands that let you display and view the database entries, refer to the section
Local CA Server Information
Enrollment Requirements
End-users enroll for a certificate by visiting the Local CA Enrollment Interface webpage and entering a
username and one-time password. Enrolling as a user on the Local CA server initially requires valid user
credentials, which typically are a username and a password.
When a user enrolls, the Local CA generates the user certificate and provides a link so the user can install
the certificate on the client machine. The user's private keypair is generated by the Local CA and is
issued to the user as part of the PKCS12 file. The PKCS12 file includes a keypair and the certificate
issued to the user and the Local CA certificate.
Cisco Security Appliance Command Line Configuration Guide
39-26
#
otp expiration 24
#
further on in this chapter.
Chapter 39
Configuring Certificates
Displaying
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
