Generate a trustpoint on a CISCO ASA 5520
Before you can install a SSL certificate you need to configure a trustpoint, please perform the following steps:
Step 1: Create a trustpoint corresponding to the CA from which the security appliance needs to receive its certificate
hostname/contexta(config)# crypto ca trustpoint trustpoint
For example, to declare a trustpoint called Main:
hostname/contexta(config)# crypto ca trustpoint Main
Note: Upon entering this command, you enter the Crypto ca trustpoint configuration mode.
Step 2: Specify the enrollment method to be used with this trustpoint
To specify the enrollment method, do one of the following items:
To specify SCEP enrollment, use the enrollment url command to configure the URL to be used for SCEP enrollment with the trustpoint you declared. For example, if the security appliance requests certificates from trustpoint Main using the URL http://10.29.67.142:80/certsrv/mscep/mscep.dll, then the command would be as follows:
hostname/contexta(config-ca-trustpoint)# enrollment url
To specify manual enrollment, use the enrollment terminal command to indicate that you will paste the certificate received from the CA into the terminal.
Step 3: Specify other characteristics for the trustpoint
The characteristics you need to define depend upon your CA and its configuration. You can specify characteristics for the trustpoint using the following commands. Refer to the Cisco Security Appliance Command Reference for complete descriptions and usage guidelines of these commands.
crl required | optional | nocheck
Specifies CRL configuration options. When you enter the crl command with the optional keyword included within the command statement, certificates from peers can still be accepted by your security appliance even if the CRL is not accessible to your security appliance.
Step 4: Save the trustpoint configuration
To do so, save the running configuration by entering the write memory command.
Note: If you chose to enable required or optional CRL checking, be sure you configure the trustpoint for CRL managemen2t, which should be completed after you have obtained
certificates. For details about configuring CRL management for a trustpoint, see the:
Enters CRL configuration mode.
Returns all enrollment parameters to their system default values. Invocations of this command do not become part of the active configuration.
enrollment retry period (Optional) Specifies a retry period in minutes. This characteristic only applies if you are using SCEP enrollment.
enrollment retry count (Optional) Specifies a maximum number of permitted retries. This characteristic only applies if you are using SCEP enrollment.
enrollment terminal Specifies cut and paste enrollment with this trustpoint.
enrollment url URL Specifies automatic enrollment (SCEP) to enroll with this trustpoint and configures the enrollment URL.
fqdn fqdn During enrollment, asks the CA to include the specified fully qualified domain name in the Subject Alternative Name extension of the certificate.
email address During enrollment, asks the CA to include the specified email address in the Subject Alternative Name extension of the certificate.
subject-name X.500 name During enrollment, asks the CA to include the specified subject DN in the certificate.
serial-number Provided in the certificate.
ip-address ip-address During enrollment, asks the CA to include the IP address of the security appliance in the certificate.
password string Specifies a challenge phrase that is registered with the CA during enrollment. The CA typically uses this phrase to authenticate a subsequent revocation request.
keypair name Specifies the key pair whose public key is to be certified.
id-cert-issuer Indicates whether the system accepts peer certificates issued by the CA associated with this trustpoint.
accept-subordinates Indicates whether CA certificates subordinate to the CA associated with the trustpoint are accepted if delivered during phase one IKE exchange when not previously installed on the device.
support-user-cert-validation If enabled, the configuration settings to validate a remote user certificate can be taken from this trustpoint, provided that this trustpoint is authenticated to the CA that issued the remote certificate.
exit Leaves the mode.