Obtain a trusted CA certificate from an external certificate authority, or create one using your own internal CA, for example, with OpenSSL tools. You can upload a file encoded in one of the following supported formats:
Procedure
Step 1 | In the left pane, click Objects > ASA
Objects. |
Step 2 | Click  and select ASA > Trustpoints. |
Step 3 | Enter an Object Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself. |
Step 4 | In the Certificate Type step, select Trusted CA Certificate. |
Step 5 | In the Certificate Contents step, paste the certificate contents in the text box or upload the CA certificate file as explained in the wizard. |
Step 6 | Click Continue. The wizard advances to step 4.
The certificate must follow these guidelines:
-
The name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but ad.example.com in the certificate, the connection fails.
-
The certificate must be an X509 certificate in PEM or DER format.
-
The certificate you paste must include the BEGIN CERTIFICATE and END CERTIFICATE lines. For example:
-----BEGIN CERTIFICATE-----
MIIFgTCCA2mgAwIBAgIJANvdcLnabFGYMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGYXVzdGluMRQwEgYDVQQKDAsx
OTIuMTY4LjEuMTEUMBIGA1UEAwwLMTkyLjE2OC4xLjEwHhcNMTYxMDI3MjIzNDE3
WhcNMTcxMDI3MjIzNDE3WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzAN
BgNVBAcMBmF1c3RpbjEUMBIGA1UECgwLMTkyLjE2OC4xLjExFDASBgNVBAMMCzE5
Mi4xNjguMS4xMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5NceYwtP
ES6Ve+S9z7WLKGX5JlF58AvH82GPkOQdrixn3FZeWLQapTpJZt/vgtAI2FZIK31h
(...20 lines removed...)
hbr6HOgKlOwXbRvOdksTzTEzVUqbgxt5Lwupg3b2ebQhWJz4BZvMsZX9etveEXDh
PY184V3yeSeYjbSCF5rP71fObG9Iu6+u4EfHp/NQv9s9dN5PMffXKieqpuN20Ojv
2b1sfOydf4GMUKLBUMkhQnip6+3W
-----END CERTIFICATE-----
|
Step 7 | In the Advanced Options step, you can configure the following:
In the Revocation tab, you can configure the following:
-
Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking.
By default the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate.
Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available.
-
Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking.
OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://.
Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension.
Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP.
-
Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable.
For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document.
|
Step 8 | Click Add.
This creates a trustpoint certificate object.
|