Cisco Systems OL-16647-01 Manual De Usuario
C H A P T E R
33-1
Cisco Security Appliance Command Line Configuration Guide
OL-16647-01
33
Configuring Certificates
Digital certificates provide digital identification for authentication. A digital certificate contains
information that identifies a device or user, such as the name, serial number, company, department, or IP
address. CAs issue digital certificates in the context of a PKI, which uses public-key/private-key
encryption to ensure security. CAs are trusted authorities that “sign” certificates to verify their
authenticity, thus guaranteeing the identity of the device or user.
information that identifies a device or user, such as the name, serial number, company, department, or IP
address. CAs issue digital certificates in the context of a PKI, which uses public-key/private-key
encryption to ensure security. CAs are trusted authorities that “sign” certificates to verify their
authenticity, thus guaranteeing the identity of the device or user.
For authentication using digital certificates, there must be at least one identity certificate and its issuing
CA certificate on a security appliance, which allows for multiple identities, roots and certificate
hierarchies. There a number of different types of digital certificates listed below:
CA certificate on a security appliance, which allows for multiple identities, roots and certificate
hierarchies. There a number of different types of digital certificates listed below:
•
A CA certificate is one used to sign other certificates. A CA certificate that is self-signed is called
a root certificate; one issued by another CA certificate is called a subordinate certificate. See
a root certificate; one issued by another CA certificate is called a subordinate certificate. See
.
•
CAs also issue identity certificates, which are the certificates for specific systems or hosts. See
•
Code-signer certificates are special certificates used to create digital signatures to sign code, with
the signed code itself revealing the certificate origin. See
the signed code itself revealing the certificate origin. See
•
The Local Certificate Authority (CA) integrates an independent certificate authority functionality
on the security appliance, deploys certificates, and provides secure revocation checking of issued
certificates. The Local CA provides a secure configurable inhouse authority for certificate
authentication with user enrollment by browser web page login. See
on the security appliance, deploys certificates, and provides secure revocation checking of issued
certificates. The Local CA provides a secure configurable inhouse authority for certificate
authentication with user enrollment by browser web page login. See
.
CA Certificate Authentication
The CA Certificates panel allows you to authenticate self-signed or subordinate CA certificates and to
install them on the security appliance. You can create a new certificate configuration or you can edit an
existing one.
install them on the security appliance. You can create a new certificate configuration or you can edit an
existing one.
If the certificate you select is configured for manual enrollment, you should obtain the CA certificate
manually and import it here. If the certificate you select is configured for automatic enrollment, the
security appliance uses the SCEP protocol to contact the CA, and then automatically obtains and installs
the certificate.
manually and import it here. If the certificate you select is configured for automatic enrollment, the
security appliance uses the SCEP protocol to contact the CA, and then automatically obtains and installs
the certificate.
CA Certificates Fields
•
Certificates —Displays a list of the certificates available identified by issued to and by, the date the
certificate expires, and the certificate’s usage or purpose. You can click a certificate in the list and
edit its configuration, or you can add a new certificate to the displayed list.
certificate expires, and the certificate’s usage or purpose. You can click a certificate in the list and
edit its configuration, or you can add a new certificate to the displayed list.