Setting Up External Local Ca File Storage 39+\23; Crl Storage - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 39
Configuring Certificates
Setting up External Local CA File Storage
Storage for Local CA files on a server external to the security appliance requires an already mounted file
system of file type CIFS or FTP that is username- and password-protected to secure the stored
information. With the file system mounted, you then can establish a path to the server and specify the
file or folder name for the Local CA to use for file storage and retrieval.
Configure the file system path with the database path command. To return Local CA file storage to the
security appliance flash memory, use the no database path command.
To specify external off-box storage for the Local CA, perform the following steps:
Enter the mount command with a file system label and type in global configuration mode. This lets the
Step 1
security appliance access the configuration mode for the specific file system type. An example that
mounts a CIFS file system follows:
hostname(config)# mount mydata type cifs
hostname(config-mount-cifs)# mount mydata type cifs
server 99.1.1.99 share myshare
domain frqa.ASC.com
username user6
password ********
status enable
hostname(config-mount-cifs)#
Use the database path command to specify the location of mydata, the pre-mounted CIFS file system
Step 2
to be used for the Local CA server database.
hostname(config)# crypto ca server
hostname(config-ca-server)# database path mydata:newuser
hostname(config-ca-server)#
Note
Only the user who mounts a file system can un-mount it with the no mount command.
CRL Storage
The Certificate Revocation List (CRL) exists for other devices to validate the revocation of certificates
issued by the Local CA. In addition, the Local CA tracks all issued certificates and status within its own
certificate database. Revocation checking is done when a validating party needs to validate a user
certificate by retrieving the revocation status from an external server, which might be the CA that issued
the certificate or a server designated by the CA.
If you do not configure a specific location for the CDP, the default location URL is
http://hostname.domain/+CSCOCA+/asa_ca.crl. To establish a specific location for the Local CA's
automatically generated CRL, use the cdp-url command to specify the certificate revocation list
distribution point (CDP) to be included in all issued certificates. An example follows:
hostname(config)# crypto ca server
hostname(config-ca-server)# cdp-url http://99.1.1.99/pathname/myca.crl
hostname(config-ca-server)#
The Local CA updates and reissues the CRL every time a user certificate is revoked or unrevoked. If
there are no revocation changes, the CRL is reissued once every CRL lifetime, the period of time you
specify with the lifetime command during Local CA configuration. An example follows:
If you do not specify a CRL lifetime, the default time period is six hours.
hostname(config)# crypto ca server
OL-12172-03
Cisco Security Appliance Command Line Configuration Guide
The Local CA
39-23
Advertisement
Table of Contents
Troubleshooting
