Specifications
29-7
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 29 Configuring Certificates
Certificate Configuration
Step 2 Specify the enrollment method to be used with this trustpoint.
Note If the trustpoint uses DSA keys, enrollment must be manual. The security appliance does not
support automatic enrollment for certification with DSA keys.
To specify the enrollment method, do one of the following items:
• To specify SCEP enrollment, use the enrollment url command to configure the URL to be used for
SCEP enrollment with the trustpoint you declared. For example, if the security appliance requests
certificates from trustpoint Main using the URL http://10.29.67.142:80/certsrv/mscep/mscep.dll,
then the command would be as follows:
hostname/contexta(config-ca-trustpoint)# enrollment url
http://10.29.67.142:80/certsrv/mscep/mscep.dll
• To specify manual enrollment, use the enrollment terminal command to indicate that you will paste
the certificate received from the CA into the terminal.
Step 3 As needed, specify other characteristics for the trustpoint. The characteristics you need to define depend
upon your CA and its configuration. You can specify characteristics for the trustpoint using the following
commands. Refer to the Cisco Security Appliance Command Reference for complete descriptions and
usage guidelines of these commands.
• crl required | optional | nocheck—Specifies CRL configuration options. When you enter the crl
command with the optional keyword included within the command statement, certificates from
peers can still be accepted by your security appliance even if the CRL is not accessible to your
security appliance.
Note If you chose to enable required or optional CRL checking, be sure you configure the
trustpoint for CRL managemen2t, which should be completed after you have obtained
certificates. For details about configuring CRL management for a trustpoint, see the
“Configuring CRLs for a Trustpoint” section on page 29-12.
• crl configure—Enters CRL configuration mode.
• default enrollment—Returns all enrollment parameters to their system default values. Invocations
of this command do not become part of the active configuration.
• enrollment retry period —(Optional) Specifies a retry period in minutes. This characteristic only
applies if you are using SCEP enrollment.
• enrollment retry count—(Optional) Specifies a maximum number of permitted retries. This
characteristic only applies if you are using SCEP enrollment.
• enrollment terminal—Specifies cut and paste enrollment with this trustpoint.
• enrollment url URL—Specifies automatic enrollment (SCEP) to enroll with this trustpoint and
configures the enrollment URL.
• fqdn fqdn—During enrollment, asks the CA to include the specified fully qualified domain name in
the Subject Alternative Name extension of the certificate.
• email address—During enrollment, asks the CA to include the specified email address in the
Subject Alternative Name extension of the certificate.
• subject-name X.500 name—During enrollment, asks the CA to include the specified subject DN in
the certificate.