Cisco ASA Series Command Reference, I - R Commands
isakmp am-disable -- issuer-name
Downloads: This chapterpdf (PDF - 211.0KB) The complete bookPDF (PDF - 8.41MB) | Feedback

Table of Contents

isakmp am-disable through issuer-name Commands

isakmp am-disable

isakmp disconnect-notify

isakmp enable

isakmp identity

isakmp ipsec-over-tcp

isakmp keepalive

isakmp nat-traversal

isakmp policy authentication

isakmp policy encryption

isakmp policy group

isakmp policy hash

isakmp policy lifetime

isakmp reload-wait

issuer

issuer-name

isakmp am-disable through issuer-name Commands

isakmp am-disable

To disable inbound aggressive mode connections, use the isakmp am-disable command in global configuration mode. To enable inbound aggressive mode connections, use the no form of this command.

isakmp am-disable

no isakmp am-disable

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

The default value is enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp am-disable command replaced it.

Examples

The following example, entered in global configuration mode, disables inbound aggressive mode connections:

ciscoasa(config)# isakmp am-disable
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp disconnect-notify

To enable disconnect notification to peers, use the isakmp disconnect-notify command in global configuration mode. To disable disconnect notification, use the no form of this command.

isakmp disconnect-notify

no isakmp disconnect-notify

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

The default value is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp disconnect-notify command replaced it.

Examples

The following example, entered in global configuration mode, enables disconnect notification to peers:

ciscoasa(config)# isakmp disconnect-notify
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp enable

To enable ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA, use the isakmp enable command in global configuration mode. To disable ISAKMP on the interface, use the no form of this command.

isakmp enable interface-name

no isakmp enable interface-name

 
Syntax Description

interface-name

Specifies the name of the interface on which to enable or disable ISAKMP negotiation.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp enable command replaced it.

Examples

The following example, entered in global configuration mode, shows how to disable ISAKMP on the inside interface:

ciscoasa(config)# no isakmp enable inside
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp identity

To set the Phase 2 ID to be sent to the peer, use the isakmp identity command in global configuration mode. To return to the default setting, use the no form of this command.

isakmp identity { address | hostname | key-id key-id-string | auto }

no isakmp identity { address | hostname | key-id key-id-string | auto }

 
Syntax Description

address

Uses the IP address of the host exchanging ISAKMP identity information.

auto

Determines ISKMP negotiation by connection type; IP address for the preshared key or certificate DN for certificate authentication.

hostname

Uses the fully qualified domain name of the host exchanging ISAKMP identity information (default). This name comprises the hostname and the domain name.

key-id key_id_string

Specifies the string used by the remote peer to look up the preshared key.

 
Defaults

The default ISAKMP identity is the isakmp identity hostname command.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp identity command replaced it.

Examples

The following example, entered in global configuration mode, enables ISAKMP negotiation on the interface for communicating with the IPsec peer, depending on connection type:

ciscoasa(config)# isakmp identity auto
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp ipsec-over-tcp

To enable IPsec over TCP, use the isakmp ipsec-over-tcp command in global configuration mode. To disable IPsec over TCP, use the no form of this command.

isakmp ipsec-over-tcp [ port port1...port10 ]

no isakmp ipsec-over-tcp [ port port1...port10 ]

 
Syntax Description

port port1...port10

(Optional) Specifies the ports on which the device accepts IPsec over TCP connections. You can list up to 10 ports. Port numbers can be in the range of 1-65535. The default port number is 10000.

 
Defaults

The default value is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp ipsec-over-tcp command replaces it.

Examples

This example, entered in global configuration mode, enables IPsec over TCP on port 45:

ciscoasa(config)# isakmp ipsec-over-tcp port 45
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp keepalive

To configure IKE keepalives, use the isakmp keepalive command in tunnel-group ipsec-attributes configuration mode. To return the keepalive parameters to enabled with default threshold and retry values, use the no form of this command.

isakmp keepalive [ threshold seconds | infinite ] [ retry seconds ] [ disable ]

no isakmp keepalive disable [ threshold seconds | infinite ] [ retry seconds ] [ disable ]

 
Syntax Description

disable

Disables IKE keepalive processing, which is enabled by default.

infinite

The ASA never initiates keepalive monitoring.

retry seconds

Specifies the interval in seconds between retries after a keepalive response has not been received. The range is 2-10 seconds. The default is 2 seconds.

threshold seconds

Specifies the number of seconds that the peer can idle before beginning keepalive monitoring. The range is 10-3600 seconds. The default is 10 seconds for a LAN-to-LAN group, and 300 second for a remote access group.

 
Defaults

The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.

For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group ipsec-attributes configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

In every tunnel group, IKE keepalives are enabled by default with default threshold and retry values. You can apply this attribute only to IPsec remote access and IPsec LAN-to-LAN tunnel group types.

Examples

The following example entered in tunnel-group ipsec-attributes configuration mode, configures IKE DPD, establishes a threshold of 15, and specifies a retry interval of 10 for the IPsec LAN-to-LAN tunnel group with the IP address 209.165.200.225:

ciscoasa(config)# tunnel-group 209.165.200.225 type IPSec_L2L
ciscoasa(config)# tunnel-group 209.165.200.225 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10
ciscoasa(config-tunnel-ipsec)#

 
Related Commands

Command
Description

clear-configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel-group

Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.

tunnel-group ipsec-attributes

Configures the tunnel group IPsec attributes for this group.

isakmp nat-traversal

To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.

isakmp nat-traversal natkeepalive

no isakmp nat-traversal natkeepalive

 
Syntax Description

natkeepalive

Sets the NAT keepalive interval, from 10 to 3600 seconds. The default is 20 seconds.

 
Defaults

By default, NAT traversal ( isakmp nat-traversal command) is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp nat-traversal command replaced it.

 
Usage Guidelines

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPsec is also used, but there are a number of incompatibilities that prevent IPsec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The ASA supports NAT traversal as described by Version 2 and Version 3 of the IETF “UDP Encapsulation of IPsec Packets” draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.

This command enables NAT-T globally on the ASA. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.

Examples

The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:

ciscoasa(config)# isakmp enable
ciscoasa(config)# isakmp nat-traversal 30
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp policy authentication

To specify an authentication method within an IKE policy, use the isakmp policy authentication command in global configuration mode. To remove the ISAKMP authentication method, use the clear configure command.

isakmp policy priority authentication { crack | pre-share | rsa-sig }

 
Syntax Description

crack

Specifies IKE Challenge/Response for Authenticated Cryptographic Keys (CRACK) as the authentication method.

pre-share

Specifies preshared keys as the authentication method.

priority

Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.

rsa-sig

Specifies RSA signatures as the authentication method.

RSA signatures provide non-repudiation for the IKE negotiation. This means you can prove to a third party whether or not you had an IKE negotiation with the peer.

 
Defaults

The default ISAKMP policy authentication is the pre-share option.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

IKE policies define a set of parameters for IKE negotiation. If you specify RSA signatures, you must configure the ASA and its peer to obtain certificates from a certification authority (CA). If you specify preshared keys, you must separately configure these preshared keys within the ASA and its peer.

Examples

The following example, entered in global configuration mode, sets the authentication method of RSA signatures to be used within the IKE policy with the priority number of 40:

ciscoasa(config)# isakmp policy 40 authentication rsa-sig
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp policy encryption

To specify the encryption algorithm to use within an IKE policy, use the isakmp policy encryption command in global configuration mode. To reset the encryption algorithm to the default value, use the no form of this command.

isakmp policy priority encryption { aes | aes-192| aes-256 | des | 3des }

no isakmp policy priority encryption { aes | aes-192| aes-256 | des | 3des }

 
Syntax Description

3des

Specifies that the triple DES encryption algorithm be used in the IKE policy.

aes

Specifies that the encryption algorithm to use in the IKE policy is AES with a 128-bit key.

aes-192

Specifies that the encryption algorithm to use in the IKE policy is AES with a 192-bit key.

aes-256

Specifies that the encryption algorithm to use in the IKE policy is AES with a 256-bit key.

des

Specifies that the encryption algorithm to use in the IKE policy is 56-bit DES-CBC.

priority

Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.

 
Defaults

The default ISAKMP policy encryption is 3des.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp policy encryption command replaced it.

Examples

The following example, entered in global configuration mode, sets 128-bit key AES encryption as the algorithm to be used within the IKE policy with the priority number of 25:

ciscoasa(config)# isakmp policy 25 encryption aes
 

The following example, entered in global configuration mode, sets the 3DES algorithm to be used within the IKE policy with the priority number of 40:

ciscoasa(config)# isakmp policy 40 encryption 3des
ciscoasa(config)#

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp policy group

To specify the Diffie-Hellman group for an IKE policy, use the isakmp policy group command in global configuration mode.To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.

isakmp policy priority group { 1 | 2 | 5 }

no isakmp policy priority group

 
Syntax Description

group 1

Specifies that the 768-bit Diffie-Hellman group be used in the IKE policy. This is the default value.

group 2

Specifies that the 1024-bit Diffie-Hellman group 2 be used in the IKE policy.

group 5

Specifies that the 1536-bit Diffie-Hellman group 5 be used in the IKE policy.

priority

Uniquely identifies the Internet Key Exchange (IKE) policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.

 
Defaults

The default is group 2.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced. Group 7 was added.

7.2(1)

This command was deprecated. The crypto isakmp policy group command replaced it.

8.0(4)

The group 7 command option was deprecated. Attempts to configure group 7 will generate an error message and use group 5 instead.

 
Usage Guidelines

IKE policies define a set of parameters to use during IKE negotiation.

There are three group options: 768-bit (DH Group 1), 1024-bit (DH Group 2), and 1536-bit (DH Group 5). The 1024-bit and 1536-bit Diffie-Hellman Groups provide stronger security, but require more CPU time to execute.


Note The Cisco VPN Client Version 3.x or higher requires ISAKMP policy to have DH group 2 configured. (If you have DH group 1 configured, the Cisco VPN Client cannot connect.)

AES support is available on ASAs licensed for VPN-3DES only. Due to the large key sizes provided by AES, ISAKMP negotiation should use Diffie-Hellman (DH) group 5 instead of group 1 or group 2. This is done with the isakmp policy priority group 5 command.


Examples

The following example, entered in global configuration mode, sets group 2, the 1024-bit Diffie Hellman, to use for the IKE policy with the priority number of 40:

ciscoasa(config)# isakmp policy 40 group 2
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp policy hash

To specify the hash algorithm for an IKE policy, use the isakmp policy hash command in global configuration mode.To reset the hash algorithm to the default value of SHA-1, use the no form of this command.

isakmp policy priority hash { md5 | sha }

no isakmp policy priority hash

 
Syntax Description

md5

Specifies that MD5 (HMAC variant) be used as the hash algorithm in the IKE policy.

priority

Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.

sha

Specifies that SHA-1 (HMAC variant) be used as the hash algorithm in the IKE policy.

 
Defaults

The default hash algorithm is SHA-1.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp policy hash command replaces it.

 
Usage Guidelines

IKE policies define a set of parameters to be used during IKE negotiation.

There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.

Examples

The following example, entered in global configuration mode, specifies that the MD5 hash algorithm be used within the IKE policy, with the priority number of 40:

ciscoasa(config)# isakmp policy 40 hash md5
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp policy lifetime

To specify the lifetime of an IKE security association before it expires, use the isakmp policy lifetime command in global configuration mode. To reset the security association lifetime to the default value of 86,400 seconds (one day), use the no form of this command.

isakmp policy priority lifetime seconds

no isakmp policy priority lifetime

 
Syntax Description

priority

Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 65,534, with 1 being the highest priority and 65,534 the lowest.

seconds

Specifies how many seconds each security association should exist before expiring. To propose a finite lifetime, use an integer from 120 to 2147483647 seconds. Use 0 seconds for an infinite lifetime.

 
Defaults

The default value is 86,400 seconds (one day).

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp policy lifetime command replaced it.

 
Usage Guidelines

When IKE begins negotiations, it seeks to agree upon the security parameters for its own session. Then the security association at each peer refers to the agreed-upon parameters. The peers retain the security association until the lifetime expires. Before a security association expires, subsequent IKE negotiations can use it, which can save time when setting up new IPsec security associations. The peers negotiate new security associations before current security associations expire.

With longer lifetimes, the ASA sets up future IPsec security associations more quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on the order of every few minutes. We recommend that you accept the default, but you can specify an infinite lifetime if the peer does not propose a lifetime.


Note If the IKE security association is set to an infinite lifetime, but the peer proposes a finite lifetime, then the negotiated finite lifetime from the peer is used.


Examples

The following example, entered in global configuration mode, sets the lifetime of the IKE security association to 50,4000 seconds (14 hours) within the IKE policy with the priority number of 40:

ciscoasa(config)# isakmp policy 40 lifetime 50400
 
 

The following example, entered in global configuration mode, sets the IKE security association to an infinite lifetime.

ciscoasa(config)# isakmp policy 40 lifetime 0
 

 
Related Commands

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

isakmp reload-wait

To enable waiting for all active sessions to voluntarily terminate before rebooting the ASA, use the isakmp reload-wait command in global configuration mode. To disable waiting for active sessions to terminate and to proceed with a reboot of the ASA, use the no form of this command.

isakmp reload-wait

no isakmp reload-wait

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

7.2(1)

This command was deprecated. The crypto isakmp reload-wait command replaced it.

Examples

The following example, entered in global configuration mode, tells the ASA to wait until all active sessions have terminated before rebooting:

ciscoasa(config)# isakmp reload-wait
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

show running-config isakmp

Displays all the active configuration.

issuer

To specify the security device that is sending assertions to a SAML-type SSO server, use the issuer command in webvpn-sso-saml configuration mode for that specific SAML type. To remove the issuer name, use the no form of this command.

issuer identifier

no issuer [ identifier ]

 
Syntax Description

identifier

Specifies a security device name, usually the hostname of the device. An identifier must be less than 65 alphanumeric characters.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn-sso-saml configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

SSO support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The ASA currently supports the SAML POST-type SSO server and the SiteMinder-type of SSO server.

This command applies only to SAML-type SSO Servers.

Examples

The following example specifies the issuer name for a security device named asa1.example.com:

ciscoasa(config-webvpn)# sso server myhostname type saml-v1.1-post
ciscoasa(config-webvpn-sso-saml# issuer asa1.example.com
ciscoasa(config-webvpn-sso-saml#

 
Related Commands

Command
Description

assertion-consumer-url

Specifies the URL that the security device uses to contact the SAML-type SSO server assertion consumer service.

request-timeout

Specifies the number of seconds before a failed SSO authentication attempt times out.

show webvpn sso-server

Displays the operating statistics for all SSO servers configured on the security device.

sso-server

Creates a single sign-on server.

trustpoint

Specifies a trustpoint name that contains the certificate to use to sign the SAML-type browser assertion.

issuer-name

To specify the issuer name DN of all issued certificates, use the issuer-name command in local certificate authority (CA) server configuration mode. To remove the subject DN from the certificate authority certificate, use the no form of this command.

issuer-name DN-string

no issuer-name DN-string

 
Syntax Description

DN-string

Specifies the distinguished name of the certificate, which is also the subject name DN of the self-signed CA certificate. Use commas to separate attribute-value pairs. Insert quotation marks around any value that contains a comma. An issuer name must be less than 500 alphanumeric characters.

 
Defaults

The default issuer name is cn= hostame.domain-name, for example cn=asa.example.com.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.3(1)

This command was introduced.

8.0(2)

Support for quotation marks was added to retain commas in DN-string values.

 
Usage Guidelines

This command specifies the issuer name that appears on any certificate created by the local CA server. Use this optional command if you want the issuer name to be different from the default CA name.


Note This issuer name configuration cannot be changed after you have enabled the CA server and generated the certificate by issuing the no shutdown command.


Examples

The following example configures certificate authentication:

ciscoasa(config)# crypto ca server
ciscoasa(config-ca-server)# issuer-name cn=asa-ca.example.com,ou=Eng,o=Example,c="cisco systems, inc.”
ciscoasa(config-ca-server)#

 
Related Commands

Command
Description

crypto ca server

Provides access to ca server configuration mode commands, which allow you to configure and manage the local CA.

keysize

Specifies the size of the public and private keys generated at certificate enrollment.

lifetime

Specifies the lifetime of the CA certificate and issued certificates.

show crypto ca server

Displays the characteristics of the local CA.

show crypto ca server cert-db

Displays local CA server certificates.