Cisco ASA Series Cli Configuration Manual page 944

Guidelines and Limitations
•
•
•
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
•
•
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Failover Guidelines
•
•
IPv6 Guidelines
Does not support IPv6.
Additional Guidelines
•
•
•
•
•
Cisco ASA Series CLI Configuration Guide
1-8
The authentication method, configured in the connection profile for your group policy, must be set
to use both AAA and certificate authentication.
An SSL port must be open for IKEv2 VPN connections.
The CA must be in auto-grant mode.
Supported in single and multiple context mode for a local CA.
Supported in single context mode only for third-party CAs.
Does not support replicating sessions in Stateful Failover.
Does not support failover for local CAs.
For ASAs that are configured as CA servers or clients, limit the validity period of the certificate to
less than the recommended end date of 03:14:08 UTC, January 19, 2038. This guideline also applies
to imported certificates from third-party vendors.
You cannot configure the local CA when failover is enabled. You can only configure the local CA
server for standalone ASAs without failover. For more information, see CSCty43366.
When a certificate enrollment is completed, the ASA stores a PKCS12 file containing the user's
keypair and certificate chain, which requires about 2 KB of flash memory or disk space per
enrollment. The actual amount of disk space depends on the configured RSA key size and certificate
fields. Keep this guideline in mind when adding a large number of pending certificate enrollments
on an ASA with a limited amount of available flash memory, because these PKCS12 files are stored
in flash memory for the duration of the configured enrollment retrieval timeout.
The lifetime ca-certificate command takes effect when the local CA server certificate is first
generated (that is, when you initially configure the local CA server and issue the no shutdown
command). When the CA certificate expires, the configured lifetime value is used to generate the
new CA certificate. You cannot change the lifetime value for existing CA certificates.
You should configure the ASA to use an identity certificate to protect ASDM traffic and HTTPS
traffic to the management interface. Identity certificates that are automatically generated with SCEP
are regenerated after each reboot, so make sure that you manually install your own identity
certificates. For an example of this procedure that applies only to SSL, see the following URL:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91
.shtml.
Chapter 1 Configuring Digital Certificates