33-16
Cisco Security Appliance Command Line Configuration Guide
OL-16647-01
Chapter 33 Configuring Certificates
Local Certificate Authority
Publish CRL Interface and Port:
To make the CRL available for HTTP download on a given interface or port. Select an interface from the
pull-down list. The optional port option can be any port number in a range of 1-65535. TCP port 80 is
the HTTP default port number.
The CDP URL can be configured to utilize the IP address of an interface, and the path of the CDP URL
and the file name can be configured also. (Note that you cannot rename the CRL; it always has the fixed
name, LOCAL-CA-SERVER.crl.)
For example, the CDP URL could be configured to be:
http://10.10.10.100/user8/my_crl_file In
this case only the interface with that IP address works, and, when the request comes in, the security
appliance matches the path /user8/my_crl_file to the configured CDP URL. When the path matches, the
security appliance returns the CRL file stored in storage. Note that the protocol must be http, so the
prefix is http://.
CRL Lifetime
The Certificate Revocation List (CRL) Lifetime field specifies the length of time in hours that the CRL
is valid. The default for the CA Certificate is six hours.
The Local CA updates and reissues the CRL every time a user certificate is revoked or unrevoked, but if
there are no revocation changes, the CRL is reissued once every CRL lifetime. You can force an
immediate CRL update and list regeneration with the CRL Issue button on the Manage CA Certificates
panel.
Database Storage Location
The Database Storage Location field allows you to specify a storage area for the Local CA configuration
and data files. The security appliance accesses and implements user information, issued certificates,
revocation lists, and so forth using a Local CA database.
That Local CA database resides can be configured to be on an off-box file system that is mounted and
accessible to the security appliance. To specify an external file or share, enter the pathname to the
external file or click Browse and search for the file.
Note Flash memory can store a database with 3500 users or less, but a database of more than 3500
users requires off-box storage.
Default Subject Name
The Default Subject Name (DN) field allows you to specify a default subject name to append to a username
on issued certificates. The permitted DN attribute keywords are listed in the following list:
Default Subject-name-default DN Keywords
CN= Common Name
SN = Surname
O = Organization Name
L = Locality
C = Country
OU = Organization Unit
EA = E-mail Address
