Certificate Configuration
Preparing for Certificates
Before you configure a FWSM with certificates, be sure that the FWSM is correctly configured to
support certificates. An incorrectly configured FWSM can cause enrollment to fail or create a certificate
that includes inaccurate information.
To prepare the FWSM for certificates, perform the following steps:
Be sure that the hostname and domain name of the FWSM are configured correctly. To view the
Step 1
hostname and domain name as currently configured, enter the following command:
hostname(config)# show running-config
For information about configuring the hostname, see the
For information about configuring the domain name, see the
page
Be sure that the FWSM clock is set accurately before configuring the CA. Certificates have a date and
Step 2
time on which they become valid and then expire. When the FWSM enrolls with a CA and obtains a
certificate, the FWSM checks that the current time is within the valid range for the certificate. If the time
is outside that range, enrollment fails.
For information about setting the clock, see the
section on page
Generating Key Pairs
Key pairs are RSA keys, as discussed in the
key pairs for the types of certification that you want to use.
To generate key pairs, perform the following steps:
Step 1
Generate the types of key pairs needed for your PKI implementation. To do so, perform the following
steps, as applicable:
a.
b.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
12-4
7-4.
7-4.
To generate RSA key pairs, enter the following command.
hostname/contexta(config)# crypto key generate rsa
If you do not use additional keywords, executing this command generates one, general-purpose RSA
key pair. Because the key modulus is not specified, the default key modulus of 1024 bits is used. You
can specify other modulus sizes with the modulus keyword.
Note
Many SSL connections using identity certificates with RSA key pairs that exceed 1024 bits
can cause high CPU usage on the FWSM and rejected clientless logins.
You can also assign a label to each key pair using the label keyword. The label is referenced by the
trustpoint that uses the key pair. If you do not assign a label, the key pair is automatically labeled
Default-RSA-Key.
To assign a label to each key pair, enter the following command:
hostname/contexta (config)# crypto key generate rsa label key-pair-label
"Setting the Hostname" section on page
"Setting the Domain Name" section on
"hostname(config)# domain-name example.com"
"About Key Pairs" section on page
Chapter 12
Configuring Certificates
7-3.
12-2. You must generate
OL-20748-01