Adding an Identity Certificate Object Using PKCS12

This procedure creates an internal certificate identity or internal identity certificate by uploading a certificate file or pasting existing certificate text into a text box. You can generate as many identity certificates as you want.

You can upload a file encoded in PKCS12 format. A PKCS12 is a single file that holds the CA server certificate, any intermediate certificates, and the private key in one encrypted file. A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file. Enter the Passphrase value for decryption.

Procedure


Step 1

In the left pane, click Objects > ASA Objects.

Step 2

Click and select ASA > Trustpoints.

Step 3

Enter an Object Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself.

Step 4

In the Certificate Type step, select Identity Certificate.

Step 5

In the Import Type step, select Upload to upload the certificate file.

The Enrollment step is set to Terminal.

Step 6

In the Certificate Contents step, enter the PKCS12 format details.

A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file. Enter the Passphrase value for decryption.

Step 7

Click Continue.

Step 8

In the Advanced Options step, you can configure the following:

In the Revocation tab, you can configure the following:

  • Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking.

    By default the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate.

    Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available.

  • Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking.

    OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://.

    Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension.

    Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP.

  • Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable.

    For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document.

Click the Others tab:

  • Use CA Certificate for the Validation of — Specify the type of connections that can be validated by this CA.

    • IPSec Client — Validates certificate presented by remote SSL servers.

    • SSL Client — Validates certificates presented by incoming SSL connections.

    • SSL Server — Validates certificates presented by incoming IPSec connections.

  • Use Identity Certificate for — Specify how the enrolled ID certificate can be used.

    • SSL & IPSec — Use for authenticating SSL & IPSec connections

    • Code Signer — Code signer certificates are special certificates whose associated private keys are used to create digital signatures. The certificates used to sign code are obtained from a CA, with the signed code itself revealing the certificate origin.

  • Other Options:

    • Enable CA flag in basic constraints extension — Select this option if this certificate should be able to sign other certificates. The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension. The presence of these items in a certificate i

    • Accept certificates issued by this CA — Select this option to indicate that the ASA should accept certificates from the specified CA.

    • Ignore IPSec Key Usage — Select this option if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default, this option is not enabled.

Step 9

Click Add.