Cisco FirePOWER ASA 5500 series Configuration Manual page 760

Certificate Configuration
hostname/contexta(config)# crypto ca authenticate Main
INFO: Certificate has the following attributes:
Fingerprint:
Do you accept this certificate? [yes/no]: y
Trustpoint 'Main' is a subordinate CA and holds a non self signed cert.
Trustpoint CA certificate accepted.
Enroll the security appliance with the trustpoint. This process retrieves a certificate for signing data and,
Step 2
depending upon the type of keys you configured, for encrypting data.
To perform enrollment, use the crypto ca enroll command. Before entering this command, contact your
Step 3
CA administrator because the administrator may need to authenticate your enrollment request manually
before the CA grants its certificates.
hostname(config)# crypto ca enroll trustpoint
If the security appliance does not receive a certificate from the CA within 1 minute (the default) of
sending a certificate request, it resends the certificate request. The security appliance continues sending
a certificate request every 1 minute until a certificate is received.
Note
The following enrollment example performs enrollment with the trustpoint named Main:
hostname(config)# crypto ca enroll Main
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
% password to the CA Administrator in order to revoke your certificate.
% For security reasons your password will not be saved in the configuration.
% Please make a note of it.
Password: 2b0rn0t2b
Re-enter password: 2b0rn0t2b
% The subject name in the certificate will be: securityappliance.example.com
% The fully-qualified domain name in the certificate will be:
securityappliance.example.com
% Include the device serial number in the subject name? [yes/no]: no
Request certificate from CA [yes/no]: yes
% Certificate request sent to Certificate authority.
Note
You must enter the crypto ca enroll command for each trustpoint with which the security appliance
needs to enroll.
Note
Cisco Security Appliance Command Line Configuration Guide
39-10
3736ffc2 243ecf05 0c40f2fa 26820675
If the fully qualified domain name configured for the trustpoint is not identical to the fully
qualified domain name of the security appliance, including the case of the characters, a warning
appears. If needed, you can exit the enrollment process, make any necessary corrections, and
enter the crypto ca enroll command again.
The password is required if the certificate for the security appliance needs to be revoked, so it is
crucial that you remember this password. Note it and store it in a safe place.
If your security appliance reboots after you issued the crypto ca enroll command but before you
received the certificate, reissue the crypto ca enroll command and notify the CA administrator.
Chapter 39 Configuring Certificates
OL-10088-01