Cisco ASA 5505 Configuration Manual page 734

Information About Digital Certificates
To configure a trustpoint to validate a self-signed OCSP responder certificate, you import the self-signed
Note
responder certificate into its own trustpoint as a trusted CA certificate. Then you configure the match
certificate command in the client certificate validating trustpoint to use the trustpoint that includes the
self-signed OCSP responder certificate to validate the responder certificate. Use the same procedure for
configuring validating responder certificates external to the validation path of the client certificate.
The OCSP server (responder) certificate usually signs the OCSP response. After receiving the response,
the adaptive security appliance tries to verify the responder certificate. The CA normally sets the lifetime
of the OCSP responder certificate to a relatively short period to minimize the chance of being
compromised.The CA usually also includes an ocsp-no-check extension in the responder certificate,
which indicates that this certificate does not need revocation status checking. However, if this extension
is not present, the adaptive security appliance tries to check revocation status using the same method
specified in the trustpoint. If the responder certificate is not verifiable, revocation checks fail. To avoid
this possibility, use the revocation-check none command to configure the responder certificate
validating trustpoint, and use the revocation-check ocsp command to configure the client certificate.
The Local CA Server
The local CA performs the following tasks:
•
•
•
•
•
•
After you configure a local CA server on the adaptive security appliance, users can enroll for a certificate
by logging into a website and entering a username and a one-time password that is provided by the local
CA administrator to validate their eligibility for enrollment.
As shown in
enrollment requests from website users and CRL inquiries coming from other certificate validating
devices and adaptive security appliances. Local CA database and configuration files are maintained
either on the adaptive security appliance flash memory (default storage) or on a separate storage device.
Cisco ASA 5500 Series Configuration Guide using ASDM
35-6
Integrates basic certificate authority operation on the adaptive security appliance.
Deploys certificates.
Provides secure revocation checking of issued certificates.
Provides a certificate authority on the adaptive security appliance for use with browser-based and
client-based SSL VPN connections.
Provides trusted digital certificates to users, without the need to rely on external certificate
authorization.
Provides a secure, in-house authority for certificate authentication and offers straightforward user
enrollment by means of a website login.
Figure 35-1, the local CA server resides on the adaptive security appliance and handles
Chapter 35 Configuring Digital Certificates
OL-20339-01