crypto a – crypto ir

crypto am-disable

To disable IPsec IKEv1 inbound aggressive mode connections, use the crypto ikev1 am-disable command in global configuration mode. To enable inbound aggressive mode connections, use the no form of this command.

crypto ikev1 am-disable

no crypto ikev1 am-disable

Syntax Description

This command has no arguments or keywords.

Command Default

The default value is enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

The isakmp am-disable command was added.

7.2.(1)

The crypto isakmp am-disable command replaces the isakmp am-disable command.

8.4(1)

The command name was changed from crypto isakmp am-disable to crypto ikev1 am-disable.

Examples

The following example, entered in global configuration mode, disables inbound aggressive mode connections:


ciscoasa(config)# crypto ikev1 am-disable

crypto ca alerts expiration

Expiration checking for all installed certificates is enabled by default with the crypto ca alerts expiration command. To disable expiration checking, use the no form of this command:

crypto ca alerts expiration [ begin < days before expiration > [ repeat < days > ]

[ no ] crypto ca alerts expiration [ begin < days before expiration > [ repeat < days > ]

Syntax Description

begin <days before expiration>

Set the interval at which the reminders are sent by configuring the number of days before expiration at which the first alert will go out. The range is from 1 to 90 days.

repeat <days>

Configure the alert frequency if the certificate is not renewed. The range is 1 to 14 days.

Command Default

Expiration checking for all installed certificate is enabled by default.

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command Modes


The following table shows the modes in which you can enter the command:

Command History

Release

Modification

9.4(1)

This command was added.

Usage Guidelines

Since the reminders are syslog messages, we do not anticipate a need for disabling. This command has little impact on performance because it is only checked once a day. By default we will send the first alert 60 days prior to expiration and once every week after that until the certificate is renewed and removed. In addition, an alert is sent on the day of the expiration and once every day after that. Irrespective of the alerts configuration, a reminder is sent every day during the last week of expiration.

Examples


100(config)# crypto ca ?
configure mode commands/options:
  alerts        Configure alerts
100(config)# crypto ca alerts ?
configure mode commands/options:
  expiration  Configure an alert for certificates nearing expiration
100(config)# crypto ca alerts expiration ?
configure mode commands/options:
  begin   Begin alert
  repeat  Repeat alert
  <cr>100(config)# crypto ca alerts expiration begin ?
configure mode commands/options:
  <1-90>  Days prior to expiration at which the first alert should be sent
100(config)# crypto ca alerts expiration begin 10 ?
configure mode commands/options:
  repeat  Repeat alert
  <cr>
100(config)# crypto ca alerts expiration begin 10 repeat ?
configure mode commands/options:
  <1-14>  Number of days at which the alert should be repeated after the prior
           alert
100(config)# crypto ca alerts expiration begin 10 repeat 1
100(config)# show run crypto ca ?
exec mode commands/options:
  alerts       Show alerts

  	server				Show local certificate server configuration
	trustpoint   		Show trustpoints
 	 trustpool    Show trustpool
  |            Output modifiers
  <cr>
100(config)# show run crypto ca alerts
crypto ca alerts expiration begin 10 repeat 1
100(config)# clear conf crypto ca ?
configure mode commands/options:
  alerts       Clear alerts
  certificate  Clear certificate map entries
  server       Clear Local CA server
  trustpoint   Clear trustpoints
  trustpool    Clear trustpool
100(config)# clear conf crypto ca alerts

crypto ca authenticate

To install and authenticate the CA certificates associated with a trustpoint, use the crypto ca authenticate command in global configuration mode.

crypto ca authenticate trustpoint [ allow-untrusted-connection ] [ fingerprint hexvalue ] [ nointeractive ]

Syntax Description

fingerprint

Specifies a hash value consisting of alphanumeric characters that the ASA uses to authenticate the CA certificate. If a fingerprint is provided, the ASA compares it to the computed fingerprint of the CA certificate and accepts the certificate only if the two values match. If there is no fingerprint, the ASA displays the computed fingerprint and asks whether to accept the certificate.

hexvalue

Identifies the hexadecimal value of the fingerprint.

allow-untrusted-connection

Allows the ASA to ignore EST server certificate validation failure. This option is available only for trustpoints that are configured with the EST enrollment protocol.

nointeractive

Obtains the CA certificate for this trustpoint using no interactive mode; intended for use by the device manager only. In this case, if there is no fingerprint, the ASA accepts the certificate without question.

trustpoint

Specifies the trustpoint from which to obtain the CA certificate. The maximum name length is 128 characters.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.16(1)

The allow-untrusted-connection keyword was introduced to ignore EST server certificate validation failure.

Usage Guidelines

Use the crypto ca authenticate command to add a CA certificate to a trustpoint in the ASA configuration. When configured, the certificate is considered trusted.

If the trustpoint is configured for SCEP enrollment, the CA certificate is downloaded through SCEP. If not, the ASA prompts you to paste the base-64 formatted CA certificate into the terminal.

The allow-untrusted-connection keyword can be used to allow the ASA to ignore server certificate validation failure for EST trustpoints.

The invocations of this command do not become part of the running configuration.

Examples

The following example shows the ASA requesting the certificate of the CA. The CA sends its certificate and the ASA prompts the administrator to verify the certificate of the CA by checking the CA certificate fingerprint. The ASA administrator should verify the fingerprint value displayed with a known, correct value. If the fingerprint displayed by the ASA matches the correct value, you should accept the certificate as valid.


ciscoasa(config)# crypto ca authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y
#
ciscoasa(config)# 

The following example shows the trustpoint tp9 configured for terminal-based (manual) enrollment. The ASA prompts the administrator to paste the CA certificate into the terminal. After displaying the fingerprint of the certificate, the ASA prompts the administrator to confirm that the certificate should be retained.


ciscoasa(config)# crypto ca authenticate tp9
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
MIIDjjCCAvegAwIBAgIQejIaQ3SJRIBMHcvDdgOsKTANBgkqhkiG9w0BAQUFADBA
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExETAPBgNVBAcTCEZyYW5rbGluMREw
DwYDVQQDEwhCcmlhbnNDQTAeFw0wMjEwMTcxODE5MTJaFw0wNjEwMjQxOTU3MDha
MEAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTERMA8GA1UEBxMIRnJhbmtsaW4x
ETAPBgNVBAMTCEJyaWFuc0NBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd
jXEPvNnkZD1bKzahbTHuRot1T8KRUbCP5aWKfqViKJENzI2GnAheArazsAcc4Eaz
LDnpuyyqa0j5LA3MI577MoN1/nll018fbpqOf9eVDPJDkYTvtZ/X3vJgnEjTOWyz
T0pXxhdU1b/jgqVE74OvKBzU7A2yoQ2hMYzwVbGkewIDAQABo4IBhzCCAYMwEwYJ
KwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFBHr3holowFDmniI3FBwKpSEucdtMIIBGwYDVR0fBIIBEjCCAQ4w
gcaggcOggcCGgb1sZGFwOi8vL0NOPUJyaWFuc0NBLENOPWJyaWFuLXcyay1zdnIs
Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9YnJpYW5wZGMsREM9YmRzLERDPWNvbT9jZXJ0aWZp
Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Y2xhc3M9Y1JMRGlzdHJpYnV0
aW9uUG9pbnQwQ6BBoD+GPWh0dHA6Ly9icmlhbi13Mmstc3ZyLmJyaWFucGRjLmJk
cy5jb20vQ2VydEVucm9sbC9CcmlhbnNDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEw
DQYJKoZIhvcNAQEFBQADgYEAdLhc4Za3AbMjRq66xH1qJWxKUzd4nE9wOrhGgA1r
j4B/Hv2K1gUie34xGqu9OpwqvJgp/vCU12Ciykb1YdSDy/PxN4KtR9Xd1JDQMbu5
f20AYqCG5vpPWavCgmgTLcdwKa3ps1YSWGkhWmScHHSiGg1a3tevYVwhHNPA4mWo
7sQ=
Certificate has the following attributes:
Fingerprint: 21B598D5 4A81F3E5 0B24D12E 3F89C2E4
% Do you accept this certificate? [yes/no]: 
yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
ciscoasa(config)# 

Examples

The following example shows successful certification validation when an EST trustpoint is configured without using allow-untrusted-connection and nointeractive keywords. After displaying the fingerprint of the certificate, the ASA prompts the administrator to confirm that the certificate should be retained:

asa(config-ca-trustpoint)# crypto ca authenticate EST_TP
 
TLS Connection to EST server https://est-server.example.com:8443 validated successfully by trust anchor.
INFO: Certificate has the following attributes:
Fingerprint:     a76027e8 0518a06c d0710845 b104303d 
 
Do you accept this certificate? [yes/no]: yes
 
Trustpoint CA certificate accepted.

The following example shows successful certification validation when an EST trustpoint is configured with nointeractive keyword. After displaying the fingerprint of the certificate, the ASA does not prompt the administrator to confirm that the certificate should be retained:

   asa(config-ca-trustpoint)# crypto ca authenticate EST_TP nointeractive           
 
TLS Connection to EST server https://est-server.example.com:8443 validated successfully by trust anchor.
INFO: Certificate has the following attributes:
Fingerprint:     a76027e8 0518a06c d0710845 b104303d 
 
Trustpoint CA certificate accepted.

The following example shows successful certification validation when an EST trustpoint is configured with allow-untrusted-connection . After displaying the fingerprint of the certificate, the ASA prompts the administrator to confirm that the certificate should be retained:

asa(config-ca-trustpoint)# crypto ca authenticate EST_TP allow-untrusted-connection
 
TLS Connection to EST server https://est-server.example.com:8443 validated successfully by trust anchor.
INFO: Certificate has the following attributes:
Fingerprint:     a76027e8 0518a06c d0710845 b104303d 
  
Do you accept this certificate? [yes/no]: yes
 
Trustpoint CA certificate accepted.

The following example shows successful certification validation when an EST trustpoint is configured with allow-untrusted-connection and nointeractive keywords. After displaying the fingerprint of the certificate, the ASA does not prompt the administrator to confirm that the certificate should be retained:

asa(config-ca-trustpoint)# crypto ca authenticate EST_TP allow-untrusted-connection nointeractive           
 
TLS Connection to EST server https://est-server.example.com:8443 validated successfully by trust anchor.
INFO: Certificate has the following attributes:
Fingerprint:     a76027e8 0518a06c d0710845 b104303d 
  
Trustpoint CA certificate accepted.

The following example shows failed certification validation when an EST trustpoint is configured without using allow-untrusted-connection and nointeractive keywords. ASA prompts the administrator to confirm if the TLS server certificate validation should be bypassed. If it is bypassed, the fingerprint of the certificate is displayed and the ASA prompts the administrator to confirm that the certificate should be retained:

asa(config-ca-trustpoint)# crypto ca authenticate EST_TP
 
TLS Connection to EST server https://est-server.example.com:8443 could not be validated.
Bypass TLS server certificate validation: [yes/no]: yes
 
INFO: Certificate has the following attributes:
Fingerprint:     a76027e8 0518a06c d0710845 b104303d 
 
Do you accept this certificate? [yes/no]: yes
 
Trustpoint CA certificate accepted.

The following example shows failed certification validation when an EST trustpoint is configured with nointeractive keyword.

asa(config-ca-trustpoint)# crypto ca authenticate EST_TP nointeractive           
 
TLS Connection to EST server https://est-server.example.com:8443 could not be validated.
 ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0
asa(config-ca-trustpoint)#

The following example shows failed certification validation when an EST trustpoint is configured with allow-untrusted-connection keyword. ASA bypasses the TLS server certificate validation. After displaying the fingerprint of the certificate, the ASA prompts the administrator to confirm that the certificate should be retained:

asa(config-ca-trustpoint)# crypto ca authenticate EST_TP allow-untrusted-connection
 
TLS Connection to EST server https://est-server.example.com:8443 could not be validated.
INFO: Certificate has the following attributes:
Fingerprint:     a76027e8 0518a06c d0710845 b104303d 
  
Do you accept this certificate? [yes/no]: yes
 
Trustpoint CA certificate accepted.

The following example shows failed certification validation when an EST trustpoint is configured with allow-untrusted-connection and nointeractive keywords. ASA bypasses the TLS server certificate validation. After displaying the fingerprint of the certificate, the ASA does not prompt the administrator to confirm that the certificate should be retained:

asa(config-ca-trustpoint)# crypto ca authenticate EST_TP allow-untrusted-connection nointeractive           
 
TLS Connection to EST server https://est-server.example.com:8443 could not be validated.
INFO: Certificate has the following attributes:
Fingerprint:     a76027e8 0518a06c d0710845 b104303d 
  
Trustpoint CA certificate accepted.

The following example shows failed certification validation when there is a fingerprint mismatch:

asa(config-ca-trustpoint)# crypto ca authenticate EST_TP fingerprint 87654321 1212121212 11111111 12345678
 
INFO: Certificate has the following attributes:
Fingerprint:     a76027e8 0518a06c d0710845 b104303d 
Fingerprint mismatch
 
Trustpoint CA certificate NOT accepted.

crypto ca certificate chain

To enter certificate chain configuration mode for the indicated trustpoint, use the crypto ca certificate chain command in global configuration mode.

crypto ca certificate chain trustpoint

Syntax Description

trustpoint

Specifies the trustpoint for configuring the certificate chain.

Command Default

No default values or behaviors.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following example enters certificate chain configuration mode for the trustpoint, central:


ciscoasa
(config)# 
crypto ca certificate chain central 
ciscoasa
(config-cert-chain)# 

crypto ca certificate map

To maintain a prioritized list of certificate mapping rules, use the crypto ca certificate map command in global configuration mode. To remove a crypto CA configuration map rule, use the no form of the command.

crypto ca certificate map { sequence-number | map-name sequence-number }

no crypto ca certificate map { sequence-number | map-name sequence-number }

Syntax Description

map-name

Specifies a name for a certificate-to-group map.

sequence-number

Specifies a number for the certificate map rule that you are creating. The range is 1 through 65535. You can use this number when creating a tunnel group map, which maps a tunnel group to a certificate map rule.

Command Default

The default value for map-name is DefaultCertificateMap.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

7.2(1)

The map-name option was added.

Usage Guidelines

Entering this command places the ASA in ca certificate map configuration mode, where you can configure rules based on the issuer and subject distinguished names (DNs) of the certificate. The sequence number orders the mapping rules. The general form of these rules is as follows:

  • DN match-criteria match-value

  • DN is either subject-name or issuer-name . DNs are defined in the ITU-T X.509 standard.

  • match-criteria comprise the following expressions or operators:

attr tag

Limits the comparison to a specific DN attribute, such as common name (CN).

co

Contains

eq

Equal

nc

Does not contain

ne

Not equal

The DN matching expressions are case insensitive.

Examples

The following example enters ca certificate map mode with a map named example-map and a sequence number of 1 (rule # 1), and specifies that the common name (CN) attribute of the subject-name must match Example1:


ciscoasa(config)# crypto ca certificate map example-map 1
ciscoasa(ca-certificate-map)# subject-name attr cn eq Example1
ciscoasa(ca-certificate-map)#

The following example enters ca certificate map mode with a map named example-map and a sequence number of 1, and specifies that the subject-name contain the value cisco anywhere within it:


ciscoasa(config)# crypto ca certificate map example-map 1
ciscoasa(ca-certificate-map)# subject-name co cisco
ciscoasa(ca-certificate-map)#

crypto ca crl request

To request a CRL based on the configuration parameters of the specified trustpoint, use the crypto ca crl request command in crypto ca trustpoint configuration mode.

crypto ca crl request trustpoint

Syntax Description

trustpoint

Specifies the trustpoint. The maximum number of characters allowed is 128.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

Invocations of this command do not become part of the running configuration.

Examples

The following example requests a CRL based on the trustpoint named central:


ciscoasa(config)# crypto ca crl request central
ciscoasa(config)# 

crypto ca enroll

To start the certificate enrollment process with the CA, use the crypto ca enroll command in global configuration mode.

crypto ca enroll trustpoint [ est-username name est-password password ] [ regenerate ] [ shared-secret < value > | signing-certificate < value > ] [ noconfirm ]

Syntax Description

noconfirm

(Optional) Suppresses all prompts. Enrollment options that might have been prompted for must be preconfigured in the trustpoint. This option is for use in scripts, ASDM, or other noninteractive needs.

regenerate

Indicates whether or not a new key pair should be generated prior to building the enrollment request.

shared-secret

A value provided out-of-band by the CA that is used to confirm the authenticity and integrity of the messages exchanged with ASA..

signing-certificate

The name of the trustpoint with a previously-issued device certificate used for signing the cmp enrollment request.

trustpoint

Specifies the name of the trustpoint to enroll with. The maximum number of characters allowed is 128.

est-username user

The EST username used for initial enrollment. This keyword is available only for trustpoints that are configured with the EST enrollment protocol.

est-password password

The EST password used for initial enrollment. This keyword is available only for trustpoints that are configured with the EST enrollment protocol.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.7(1)

The option to regenerate was added, and the shared-secret and signing-certificate keywords were added.

9.16(1)

The provision to enroll an EST certificate was added.

Usage Guidelines

Use crypto ca enroll command to initiate a certificate enrollment or re-enrollment with a CA.

When the trustpoint is configured for SCEP enrollment, the ASA displays a CLI prompt immediately and status messages appear on the console asynchronously. When the trustpoint is configured for manual enrollment, the ASA writes a base-64-encoded PKCS10 certificate request to the console and then the CLI prompt appears.

This command generates interactive prompts that vary, depending on the configured state of the referenced trustpoint. For this command to run successfully, the trustpoint must have been configured correctly.

When a trustpoint is configured for CMP, either a shared secret value (ir) or the name of the trustpoint that contains the cert that will sign the request (cr) can be specified, but not both. The shared-secret or signing-certificate keywords are available only when the trustpoint enrollment protocol is set to CMP.

This command supports certificate enrollment using EST. You can provide the username and password credentials to authenticate the device to the EST server when issuing the enrollment request. Use this command regardless of whether a certificate has already been issued. If you do not provide the username and password credentials, the device uses the pre-existing device certificate to authenticate the device to the server. If a device certificate is not present, the command becomes invalid.

Examples

The following example requests enrollment for an identity certificate with trustpoint tp1 using SCEP enrollment. The ASA prompts for information not stored in the trustpoint configuration.


ciscoasa(config)# crypto ca enroll tp1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
% password to the CA Administrator in order to revoke your certificate.
% For security reasons your password will not be saved in the configuration.
% Please make a note of it.
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be: xyz.example.com
% The subject name in the certificate will be: xyz.example.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA [yes/no]: yes
% Certificate request sent to Certificate authority.
% The certificate request fingerprint will be displayed.
% The ‘show crypto ca certificate’ command will also show the fingerprint.
ciscoasa(config)# 

The following example shows manual enrollment of a CA certificate:

ciscoasa(config)# crypto ca enroll tp1


% Start certificate enrollment ..
% The fully-qualified domain name in the certificate will be: xyz.example.com
% The subject name in the certificate will be: wb-2600-3.example.com
if serial number not set in trustpoint, prompt:
% Include the router serial number in the subject name? [yes/no]: no
If ip-address not configured in trustpoint:
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]: 1.2.3.4
Display Certificate Request to terminal? [yes/no]: y
Certificate Request follows:
MIIBFTCBwAIBADA6MTgwFAYJKoZIhvcNAQkIEwcxLjIuMy40MCAGCSqGSIb3DQEJ
AhYTd2ItMjYwMC0zLmNpc2NvLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDT
IdvHa4D5wXZ+40sKQV7Uek1E+CC6hm/LRN3p5ULW1KF6bxhA3Q5CQfh4jDxobn+A
Y8GoeceulS2Zb+mvgNvjAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB
/wQEAwIFoDANBgkqhkiG9w0BAQQFAANBACDhnrEGBVtltG7hp8x6Wz/dgY+ouWcA
lzy7QpdGhb1du2P81RYn+8pWRA43cikXMTeM4ykEkZhLjDUgv9t+R9c=
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
ciscoasa(config)# 

Examples

The following example requests enrollment for an identity certificate with trustpoint EST_TP using EST enrollment, when the http credentials are provided:


asa(config-ca-trustpoint)# crypto ca enroll EST_TP ?
configure mode commands/options:
  est-username       Specify EST username for HTTP authentication
  <CR>
 
asa(config)# crypto ca enroll EST_TP username ?
 
configure mode commands/options:
  WORD < 32 char username required for initial EST enrollment.
asa(config)# crypto ca enroll EST_TP username ESTUSER ?
 
configure mode commands/options:
 est-password         Specify EST password for HTTP authentication
asa(config)# crypto ca enroll EST_TP user ESTUSER password ?
 
configure mode commands/options:
  WORD < 32 char password required for initial EST enrollment
 
asa(config)# crypto ca enroll EST_TP est-username ESTUSER est-password ESTPASSWORD ?
 
configure mode commands/options:
  noconfirm  Specify this keyword to suppress all interactive prompting.
 
asa(config)# crypto ca enroll EST_TP est-username ESTUSER est-password ESTPASSWORD
%
% Start certificate enrollment .. 
% The fully-qualified domain name in the certificate will be: asa.cisco.com
 
% The serial number in the certificate will be: FCH1814JT76
 
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
asa(config)# The certificate has been granted by CA!

The following example shows re-enrollment using device certificates:


asa(config-ca-trustpoint)# crypto ca enroll EST_TP 
%
WARNING: Trustpoint EST_TP has already enrolled and has
a device cert issued to it.
If you successfully re-enroll this trustpoint,
the existing certificate will be replaced.
 
Do you want to continue with re-enrollment? [yes/no]: yes
% Start certificate enrollment .. 
 
% The fully-qualified domain name in the certificate will be: asa.cisco.com
 
% The serial number in the certificate will be: FCH1814JT76
 
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
asa(config)# The certificate has been granted by CA!

crypto ca export

To export the ASA trustpoint configuration with all associated keys and certificates in PKCS12 format, or to export the device identity certificate in PEM format, use the crypto ca export command in global configuration mode.

crypto ca export trustpoint identity-certificate

Syntax Description

identity-certificate

Specifies that the enrolled certificate associated with the named trustpoint is to be displayed on the console.

trustpoint

Specifies the name of the trustpoint whose certificate is to be displayed. The maximum number of characters allowed for a trustpoint name is 128.

Command Default

No default values or behaviors.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

8.0(2)

This command was changed to accommodate certificate exporting in PEM format.

Usage Guidelines

Invocations of this command do not become part of the active configuration. The PEM or PKCS12 data is written to the console.

Web browsers use the PKCS12 format to store private keys with accompanying public key certificates protected with a password-based symmetric key. The ASA exports the certificates and keys associated with a trustpoint in base64-encoded PKCS12 format. This feature can be used to move certificates and keys between ASAs.

PEM encoding of a certificate is a base64 encoding of an X.509 certificate enclosed by PEM headers. This encoding provides a standard method for text-based transfer of certificates between ASAs. PEM encoding can be used to export the proxy-ldc-issuer certificate using an SSL/TLS protocol proxy when the ASA is acting as a client.

Examples

The following example exports the PEM-formatted certificate for trustpoint 222 as a console display:


ciscoasa
 (config)# 
crypto ca export 222 identity-certificate
Exported 222 follows:

-----BEGIN CERTIFICATE-----

MIIGDzCCBXigAwIBAgIKFiUgwwAAAAAFPDANBgkqhkiG9w0BAQUFADCBnTEfMB0G

CSqGSIb3DQEJARYQd2Jyb3duQGNpc2NvLmNvbTELMAkGA1UEBhMCVVMxCzAJBgNV

BAgTAk1BMREwDwYDVQQHEwhGcmFua2xpbjEWMBQGA1UEChMNQ2lzY28gU3lzdGVt

czEZMBcGA1UECxMQRnJhbmtsaW4gRGV2VGVzdDEaMBgGA1UEAxMRbXMtcm9vdC1j

YS01LTIwMDQwHhcNMDYxMTAyMjIyNjU3WhcNMjQwNTIwMTMzNDUyWjA2MRQwEgYD

VQQFEwtKTVgwOTQwSzA0TDEeMBwGCSqGSIb3DQEJAhMPQnJpYW4uY2lzY28uY29t

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvxxIYKcrb7cJpsiFKwwsQUph5

4M5Y3CDVKEVF+98HrD6rhd0n/d6R8VYSfu76aeJC5j9Bbn3xOCx2aY5K2enf3SBW

Y66S3JeZBV88etFmyYJ7rebjUVVQZaFcq79EjoP99IeJ3a89Y7dKvYqq8I3hmYRe

uipm1G6wfKHOrpLZnwIDAQABo4IDujCCA7YwCwYDVR0PBAQDAgWgMBoGA1UdEQQT

MBGCD0JyaWFuLmNpc2NvLmNvbTAdBgNVHQ4EFgQUocM/JeVV3fjZh4wDe0JS74Jm

pvEwgdkGA1UdIwSB0TCBzoAUYZ8t0+V9pox+Y47NtCLk7WxvIQShgaOkgaAwgZ0x

HzAdBgkqhkiG9w0BCQEWEHdicm93bkBjaXNjby5jb20xCzAJBgNVBAYTAlVTMQsw

CQYDVQQIEwJNQTERMA8GA1UEBxMIRnJhbmtsaW4xFjAUBgNVBAoTDUNpc2NvIFN5

c3RlbXMxGTAXBgNVBAsTEEZyYW5rbGluIERldlRlc3QxGjAYBgNVBAMTEW1zLXJv

b3QtY2EtNS0yMDA0ghBaZ5s0Ng4SskMxF2NlIoxgMIIBSAYDVR0fBIIBPzCCATsw

geuggeiggeWGgeJsZGFwOi8vd2luMmstYWQuRlJLLU1TLVBLSS5jaXNjby5jb20v

Q049bXMtcm9vdC1jYS01LTIwMDQsQ049d2luMmstYWQsQ049Q0RQLENOPVB1Ymxp

YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24s

REM9RlJLLU1TLVBLSSxEQz1jaXNjbyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0

aW9uTGlzdD9iYXNlP29iamVjdGNsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MEug

SaBHhkVodHRwOi8vd2luMmstYWQuZnJrLW1zLXBraS5jaXNjby5jb20vQ2VydEVu

cm9sbC9tcy1yb290LWNhLTUtMjAwNC5jcmwwggFCBggrBgEFBQcBAQSCATQwggEw

MIG8BggrBgEFBQcwAoaBr2xkYXA6Ly8vQ049bXMtcm9vdC1jYS01LTIwMDQsQ049

QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv

bmZpZ3VyYXRpb24sREM9RlJLLU1TLVBLSSxEQz1jaXNjbyxEQz1jb20/Y0FDZXJ0

aWZpY2F0ZT9iYXNlP29iamVjdGNsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkw

bwYIKwYBBQUHMAKGY2h0dHA6Ly93aW4yay1hZC5mcmstbXMtcGtpLmNpc2NvLmNv

bS9DZXJ0RW5yb2xsL3dpbjJrLWFkLkZSSy1NUy1QS0kuY2lzY28uY29tX21zLXJv

b3QtY2EtNS0yMDA0LmNydDANBgkqhkiG9w0BAQUFAAOBgQBlh7maRutcKNpjPbLk

bdcafJfHQ3k4UoWo0s1A0LXzdF4SsBIKQmpbfqEHtlx4EsfvfHXxUQJ6TOab7axt

hxMbNX3m7giebvtPkreqR9OYWGUjZwFUZ16TWnPA/NP3fbqRSsPgOXkC7+/5oUJd

eAeJOF4RQ6fPpXw9LjO5GXSFQA==

-----END CERTIFICATE-----


ciscoasa
 (config)# 

crypto ca import

To install a certificate received from a CA in response to a manual enrollment request or to import the certificate and key pair for a trustpoint using PKCS12 data, use the crypto ca import command in global configuration mode.

crypto ca import trustpoint certificate [ nointeractive ]

crypto ca import trustpoint pkcs12 passphrase [ nointeractive ]

Syntax Description

certificate

Tells the ASA to import a certificate from the CA represented by the trustpoint.

nointeractive

(Optional) Imports a certificate using nointeractive mode, which suppresses all prompts. This option is for use in scripts, ASDM, or other noninteractive needs.

passphrase

Specifies the passphrase used to decrypt the PKCS12 data.

pkcs12

Tells the ASA to import a certificate and key pair for a trustpoint, using PKCS12 format.

trustpoint

Specifies the trustpoint with which to associate the import action. The maximum number of characters allowed is 128. If you import PKCS12 data and the trustpoint uses RSA keys, the imported key pair is assigned the same name as the trustpoint.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following example manually imports a certificate for the trustpoint Main:


ciscoasa
 (config)# 
crypto ca import Main certificate
% The fully-qualified domain name in the certificate will be: securityappliance.example.com
Enter the base 64 encoded certificate.
End with a blank line or the word “quit” on a line by itself[ certificate data omitted ] quit
INFO: Certificate successfully imported
ciscoasa
 (config)# 

The following example manually imports PKCS12 data to a trustpoint central:


ciscoasa
 (config)# 
crypto ca import central pkcs12 ?
configure mode commands/options:
 WORD Passphrase used to protect the pkcs12 data
Enter the base 64 encoded pkcs12.
End with a blank line or the word "quit" on a line by itself:[ PKCS12 data omitted ] quit
INFO: Import PKCS12 operation completed successfully
ciscoasa
 (config)# 

The following example, entered in global configuration mode with passphrase Wh0ist, generates a warning message because there is not enough space in NVRAM to save the RSA keypair:


ciscoasa(config)# crypto ca import central pkcs12 Wh0ist

Enter the base 64 encoded pkcs12.
End with a blank line or the word "quit" on a line by itself:
INFO: The name for the keys will be: central
Keypair generation process begin. Please wait...
NV RAM will not have enough space to save keypair central. Remove any unnecessary keypairs and save the running config before using this keypair.
ciscoasa(config)# 

crypto ca permit-weak-crypto

ASA does not support CA certificates with the SHA-1 with RSA encryption algorithm and RSA key sizes smaller than 2048 bits. You can use the crypto ca permit-weak-crypto command to override certification restrictions. We do not recommend you to use this option, because the certificates generated with weak ciphers and key sizes are not as secure as the certificates with bigger key sizes and strong ciphers.

[no] crypto ca permit-weak-crypto

This command has no arguments or keywords.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.16(1)

This command was added.

Usage Guidelines

When you enable permit-weak-crypto, ASA allows the following options when validating certificates:

  • SHA-1 with RSA encryption algorithm.

  • RSA key sizes smaller than 2048 bits.

If the permit-weak-crypto option is not enabled, the certificate validation operations fail when these attributes are present.

Examples

The following example enables weak-crypto on the ASA:

asa(config)# crypto ca ?

configure mode commands/options:
permit-weak-crypto (Not Recommended) permit weak key sizes and hash algorithms

crypto ca reference-identity

To configure a reference-identity object, use the crypto ca reference-identity command in configuration mode. To delete a reference-identity object, use the no form of this command.

crypto ca reference-identity reference_identity_name

no crypto ca reference-identity reference_identity_name

Enter the crypto ca reference-identity command in global configuration mode to place the ASA in ca-reference-identity mode. Enter the following reference-ids while in ca-reference-identity mode. Multiple reference-ids of any type may be added. Use the no form of each command to remove reference-ids.

[ no ] cn-id value

[ no ] dns-id value

[ no ] srv-id value

[ no ] uri-id value

Syntax Description

reference-identity-name

Name of the reference-identity object.

value

Value of each reference-id.

cn-id

Common Name (CN), where the value matches the overall form of a domain name. The CN value cannot be free text. A CN-ID reference identifier does not identify an application service.

dns-id

A subjectAltName entry of type dNSName. This is a DNS domain name. A DNS-ID reference identifier does not identify an application service.

srv-id

A subjectAltName entry of type otherName whose name form is SRVName as defined in RFC 4985. A SRV-ID identifier may contain both a domain name and an application service type. For example, a SRV-ID of “_imaps.example.net” would be split into a DNS domain name portion of “example.net” and an application service type portion of “imaps.”

uri-id

A subjectAltName entry of type uniformResourceIdentifier whose value includes both (i) a “scheme” and (ii) a “host” component (or its equivalent) that matches the “reg-name” rule specified in RFC 3986. A URI-ID identifier must contain the DNS domain name, not the IP address, and not just the hostname. For example, a URI-ID of “sip:voice.example.edu” would be split into a DNS domain name portion of “voice.example.edu” and an application service type of “sip.”

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(2)

We introduced this command.

Usage Guidelines

Enter the crypto ca reference-identity command in global configuration mode to place the ASA in ca-reference-identity mode. Enter the following reference-ids while in ca-reference-identity mode: cn-id, dns-id, srv-id, or uri-id. Multiple reference-ids of any type may be added. Use the no form of each command to remove reference-ids.

A reference identity is created when configuring one with a previously unused name. Once a reference identity has been created, the four identifier types and their associated values can be added or deleted from the reference identity.

When multiple entries are used, the following behavior is expected if the certificate contains at least one instance of srv-id, uri-id, or dns-id:

  • If any instance of uri-id in the certificate matches any instance of uri-id on the named reference id, then the certificate matches the reference identity.

  • If any instance of srv-id in the certificate matches any instance of srv-id on the named reference id, then the certificate matches the reference identity.

  • If any instance of dns-id in the certificate matches any instance of dns-id on the named reference id, then the certificate matches the reference identity.

  • If none of these scenarios exist, the certificate does not match the reference identity.

When multiple entries are used, the following behavior is expected if the certificate does not contain at least one instance of srv-id, uri-id, or dns-id but does contain at least one cn-id:

  • If any instance of cn-id in the certificate matches any instance of cn-id on the named reference id, then the certificate matches the reference identity. Otherwise, the certificate does not match the reference identity.

  • If the certificate does not contain at least one instance of srv-id, uri-id, dns-id, or cn-id, then the certificate does not match the reference identity.

When the ASA is acting as a TLS client, it supports rules for verification of an application server's identity as defined in RFC 6125. Reference identities are configured on the ASA, to be compared to the identity presented in a server certificate during connection establishment. These identifiers are specific instances of the four identifier types also specified in RFC 6125.

The reference identifiers cn-id and dns-id MAY NOT contain information identifying the application service and MUST contain information identifying the DNS domain name.

Examples

The following example creates a reference-identity for a syslog server:


ciscoasa(config)# crypto ca reference-identity syslogServer
ciscoasa(config-ca-ref-identity)# dns-id syslog1-bxb.cisco.com
ciscoasa(config-ca-ref-identity)# cn-id syslog1-bxb.cisco.com

crypto ca server (Deprecated)

To set up and manage a local CA server on the ASA, use the crypto ca server command in global configuration mode. To delete the configured local CA server from the ASA, use the no form of this command.

crypto ca server

no crypto ca server

Syntax Description

This command has no arguments or keywords.

Command Default

A certificate authority server is not enabled on the ASA.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.12(1)

Provision to configure user’s FQDN for the enrollment URL, under smtp command. If not configured, the ASAs’ FQDN will be used by default.

This command is being deprecated and will be removed in a future release.

9.13(1)

This command was removed.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

There can only be one local CA on an ASA.

The crypto ca server command configures the CA server, but does not enable it. Use the no form of the shutdown command in ca server configuration mode to enable the local CA.

When you activate the CA server with the no shutdown command, you establish the RSA keypair of the CA and a trustpoint named LOCAL-CA-SERVER to hold the self-signed certificate. This newly generated self-signed certificate always has digital signature, CRL signing, and certificate signing key usage settings set.

Beginning with version 9.12(1), ASA allows users to configure their FQDN for the enrollment URL. Typically, users have an internal DNS configured as the ASAs FQDN and an external DNS configured with the FQDN that is included in the enrollment email. Using the fqdn command, the users can configure their FQDN for the enrollment URLinstead of ASAs’ FQDN. If not configured, ASA uses its FQDN by default.


Caution


The no crypto ca server command deletes the configured local CA server, its RSA keypair, and the associated trustpoint, regardless of the current state of the local CA server.

Examples

The following example enters ca server configuration mode, then lists the local CA server commands available in that mode:


ciscoasa(config)# crypto ca server
ciscoasa
(config-ca-server)
# ?
CA Server configuration commands:
  cdp-url               CRL Distribution Point to be included in the issued
                        certificates
  database              Embedded Certificate Server database location
                        configuration
  enrollment-retrieval  Enrollment-retrieval timeout configuration
  exit                  Exit from Certificate Server entry mode
  help                  Help for crypto ca server configuration commands
  issuer-name           Issuer name
  keysize               Size of keypair in bits to generate for certificate
                        enrollments
  lifetime              Lifetime parameters
  no                    Negate a command or set its defaults
  otp                   One-Time Password configuration options
  renewal-reminder      Enrollment renewal-reminder time configuration
  shutdown              Shutdown the Embedded Certificate Server
  smtp                  SMTP settings for enrollment E-mail notifications
  subject-name-default  Subject name default configuration for issued
                        certificates

The following example shows configuration of user’s fqdn under smtp command and the verification output:


ciscoasa(config)# crypto ca server
ciscoasa(config-ca-server)# smtp fqdn asa1-localCA.server.amazon.com
ciscoasa(config-ca-server)# show run crypto ca server 
crypto ca server 
smtp fqdn asa1-localCA.server.amazon.com

The following example uses the no form of the crypto ca server command in ca server configuration mode to delete the configured and enabled CA server from the ASA:


ciscoasa
(config-ca-server)
# no crypto ca server
Certificate server 'remove server' event has been queued for processing.
ciscoasa(config)# 

crypto ca server crl issue

To force the issuance of a Certificate Revocation List (CRL), use the crypto ca server crl issue command in privileged EXEC mode.

crypto ca server crl issue

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

Use this command to recover a lost CRL. Normally, the CRL is reissued automatically at expiration by resigning the existing CRL. The crypto ca server crl issue command regenerates the CRL based on the certificate database and should only be used as required to regenerate a CRL based on the certificate database contents.

Examples

The following example forces the issuance of a CRL by the local CA server:


ciscoasa
(config-ca-server)
# crypto ca server crl issue

A new CRL has been issued.


ciscoasa
(config-ca-server)
#

crypto ca server revoke

To mark a certificate issued by the local Certificate Authority (CA) server as revoked in the certificate database and the CRL, use the crypto ca server revoke command in privileged EXEC mode.

crypto ca server revoke cert-serial-no

Syntax Description

cert-serial-no

Specifies the serial number of the certificate to be revoked, which must be in hexadecimal format.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

You revoke a specific certificate that has been issued by the local CA on an ASA by entering the crypto ca server revoke command on that ASA. Revocation is accomplished when this command marks the certificate as revoked in the certificate database on the CA server and in the CRL. You specify the certificate to be revoked by entering the certificate serial number in hexadecimal format.

The CRL is regenerated automatically after the specified certificate is revoked.

Examples

The following example revokes the certificate with the serial number 782ea09f issued by the local CA server:


ciscoasa
(config-ca-server)#
# crypto ca server revoke 782ea09f

Certificate with the serial number 0x782ea09f has been revoked. A new CRL has been issued.


ciscoasa
(config-ca-server)
# 

crypto ca server unrevoke

To unrevoke a revoked certificate issued by the local CA server, use the crypto ca server unrevoke command in privileged EXEC mode.

crypto ca server unrevoke cert-serial-no

Syntax Description

cert-serial-no

Specifies the serial number of the certificate to be unrevoked, which must be in hexadecimal format.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

You unrevoke a revoked certificate issued by the local CA on an ASA by entering the crypto ca server unrevoke command. The validity of the certificate is restored when this command marks the certificate as valid in the certificate database and removes it from the CRL. You specify the certificate to be unrevoked by entering the certificate serial number in hexadecimal format.

The CRL is regenerated after the specified certificate is unrevoked.

Examples

The following example unrevokes the certificate with the serial number 782ea09f issued by the local CA server:


ciscoasa
(config-ca-server)
# crypto ca server unrevoke 782ea09f

Certificate with the serial number 0x782ea09f has been unrevoked. A new CRL has been issued.


ciscoasa
(config-ca-server)
#

crypto ca server user-db add

To insert a new user into the CA server user database, use the crypto ca server user-db add command in privileged EXEC mode.

crypto ca server user-db user [ dn dn ] [ email e-mail-address ]

Syntax Description

dn dn

Specifies a subject-name distinguished name for certificates issued to the added user. If a DN string contains spaces, enclose value with double quotes. You can only use commas to separate DN attributes (for example, “OU=Service, O=Company, Inc.”).

email e-mail-address

Specifies the e-mail address for the new user.

user

Specifies a single user to whom to grant enrollment privileges. The username can be a simple username or an e-mail address.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

The user argument can be a simple username such as user1 or an e-mail address such as user1@example.com. The username must match the username specified by the end user in the enrollment page.

The username is added to the database as a user without privileges. You must use the crypto ca server allow command to grant enrollment privileges.

The username argument, along with the one-time password, is used to enroll the user on the enrollment interface page.


Note


For e-mail notification of the one-time password (OTP), an e-mail address should be specified either in the username or email-address argument. A missing e-mail address at mailing time generates an error.

The email e-mail-address keyword-argument pair is used only as an e-mail address to notify the user for enrollment and renewal reminders and does not appear in the issued certificate.

Inclusion of the e-mail address ensures that the user can be contacted with any questions and is notified of the required one-time password for enrollment.

If an optional DN is not specified for a user, the subject name DN is formed using the username and the subject-name-default DN setting as cn=username , subject-name-default.

Examples

The following example adds a user to the user database with a username of user1@example.com with a complete subject-name DN:


ciscoasa
(config-ca-server)
# crypto ca server user-db add dn “cn=Jane Doe, ou=engineering, o=Example, l=RTP, st=NC, c=US”

ciscoasa (config-ca-server) #

The following example grants enrollment privileges to the user named user2.


ciscoasa
(config-ca-server)
# crypto ca server user-db allow user2

ciscoasa (config-ca-server)

crypto ca server user-db allow

To permit a user or a group of users to enroll in the local CA server database, use the crypto ca server user-db allow command in privileged EXEC mode. This command also includes options to generate and display one-time passwords or to e-mail them to users.

crypto ca server user-db allow { username | all-unenrolled | all-certholders } [ display-otp ] [ email-otp ] [ replace-otp ]

Syntax Description

all-certholders

Specifies that enrollment privileges be granted to all users in the database who have been issued a certificate, whether the certificate is valid or not. This is equivalent to granting renewal privileges.

all-unenrolled

Specifies that enrollment privileges be granted to all users in the database who have not been issued a certificate.

email-otp

(Optional) Sends the specified users one-time passwords by e-mail to their configured e-mail addresses.

replace-otp

(Optional) Specifies that one-time passwords be regenerated for all specified users who originally had valid one-time passwords.

display-otp

(Optional) Displays the one-time passwords for all specified users on the console.

username

Specifies a single user to whom to grant enrollment privileges. The username can be a simple username or e-mail address.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

The replace-otp keyword generates OTPs for all specified users. These new OTPs replace any valid ones generated for the specified users.

The OTP is not stored on the ASA, but is generated and regenerated as required to notify a user or to authenticate a user during enrollment.

Examples

The following example grants enrollment privileges to all users in the database who have not enrolled yet:


ciscoasa
(config-ca-server)#
 crypto ca server user-db allow all-unenrolled
ciscoasa
(config-ca-server)#

The following example grants enrollment privileges to the user named user1:


ciscoasa
(config-ca-server)#
 crypto ca server user-db allow user1
ciscoasa
(config-ca-server)#

crypto ca server user-db email-otp

To e-mail the OTP to a specific user or a subset of users in the local CA server database, use the crypto ca server user-db email-otp command in privileged EXEC mode.

crypto ca server user-db email-otp { username | all-unenrolled | all-certholders }

Syntax Description

all-certholders

Specifies that OTPs are e-mailed to all users in the database who have been issued a certificate, whether that certificate is valid or not.

all-unenrolled

Specifies that the OTPs are e-mailed to all users in the database who have never been issued a certificate, or who only hold expired or revoked certificate(s).

username

Specifies that the OTP for a single user is e-mailed to that user. The username can be a username or an e-mail address.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Examples

The following example e-mails the OTP to all unenrolled users in the database:


ciscoasa
(config-ca-server)
# crypto ca server user-db email-otp all-unenrolled
ciscoasa
(config-ca-server)
#

The following example e-mails the OTP to the user named user1:


ciscoasa
(config-ca-server)
# crypto ca server user-db email-otp user1
ciscoasa
(config-ca-server)
#

crypto ca server user-db remove

To remove a user from the local CA server user database, use the crypto ca server user-db remove command in privileged EXEC mode.

crypto ca server user-db remove username

Syntax Description

username

Specifies the name of the user to remove in the form of a username or an e-mail address.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

This command removes a username from the CA user database so that user cannot enroll. The command also providees the option to revoke previously issued, valid certificates.

Examples

The following example removes a user with a username, user1, from the CA server user database :


ciscoasa
(config-ca-server)
# crypto ca server user-db remove user1
WARNING: No certificates have been automatically revoked. Certificates issued to user user1 should be revoked if necessary.
ciscoasa
(config-ca-server)
#

crypto ca server user-db show-otp

To display the OTP for a specific user or a subset of users in the local CA server database, use the crypto ca server user-db show-otp command in privileged EXEC mode.

crypto ca server user-db show-otp { username | all-certholders | all-unenrolled }

Syntax Description

all-certholders

Displays the OTPs for all users in the database who have been issued a certificate, whether the certificate is currently valid or not.

all-unenrolled

Displays the OTPs for all users in the database who have never been issued a certificate, or who only hold expired or revoked certificate(s).

username

Specifies that the OTP for a single user be displayed. The username can be a username or an e-mail address.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Examples

The following example displays the OTP for all users who have valid or invalid certificates in the database:


ciscoasa
(config-ca-server)
# crypto ca server user-db show-otp all-certholders
ciscoasa
(config-ca-server)
#

The following example displays the OTP for the user named user1:


ciscoasa
(config-ca-server)
# crypto ca server user-db show-otp user1
ciscoasa
(config-ca-server)
#

crypto ca server user-db write

To configure a directory location to store all the local CA database files, use the crypto ca server user-db write command in privileged EXEC mode.

crypto ca server user-db write

Syntax Description

This command has no keywords or arguments.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ca server configuration

  • Yes

  • Yes

Global Configuration

  • Yes

  • Yes

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

The crypto ca server user-db write command is used to save new user-based configuration data to the storage specified by the database path configuration. The information is generated when new users are added or allowed with the crypto ca server user-db add and crypto ca server user-db allow commands.

Examples

The following example writes the user information configured in the local CA database to storage:


ciscoasa
(config-ca-server)
# crypto ca server user-db write
ciscoasa
(config-ca-server)
#

crypto ca trustpoint

To enter the crypto ca trustpoint configuration mode for the specified trustpoint, use the crypto ca trustpoint command in global configuration mode. To remove the specified trustpoint, use the no form of this command.

crypto ca trustpoint trustpoint-name

no crypto ca trustpoint trustpoint-name [ noconfirm ]

Syntax Description

noconfirm

Suppresses all interactive prompting

trustpoint-name

Identifies the name of the trustpoint to manage. The maximum name length allowed is 128 characters.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

7.2(1)

Added options to support the OCSP. These include match certificate map , ocsp disable-nonce , ocsp url , and revocation-check .

8.0(2)

Added options to support certificate validation. These include id-usage and validation-policy. The following are being deprecated: accept-subordinates, id-cert-issuer, and support-user-cert-validation.

8.0(4)

The enrollment self option was added to support enrollment of self-signed certificates between trusted enterprises, such as between phone proxy and TLS proxy.

9.13(1)

The crl required | optional | nocheck option was removed.

The match certificate option was modified to include override CDP configuration

9.20(1)

The alt-fqdn option was added.

Usage Guidelines

Use the crypto ca trustpoint command to declare a CA. Issuing this command puts you in crypto ca trustpoint configuration mode.

This command manages trustpoint information. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA. The commands within the trustpoint mode control CA-specific configuration parameters, which specify how the ASA obtains the CA certificate, how the ASA obtains its certificate from the CA, and the authentication policies for user certificates issued by the CA.

You can specify characteristics for the trustpoint using the following commands:

  • accept-subordinates —Deprecated. Indicates whether CA certificates subordinate to the CA associated with the trustpoint are accepted if delivered during phase one IKE exchange when not previously installed on the ASA.

  • alt-fqdn fqdn —During enrollment, asks the CA to include the specified FQDN values in the subject alternative name extension of the certificate or requests.

  • auto-enroll —Configures the parameters that control if CMPv2 auto update is used, when it is triggered, and if a new keypair is generated. Enter a percentage of the absolute lifetime of the certificate after which auto-enroll will be necessary. Then specify if you want to generate a new key while renewing the certificate: [no] auto-enroll [<percent>] [regenerate]

  • crl required | optional | nocheck —Specifies CRL configuration options. Removed in ASA 9.13(1).

  • crl configure —Enters crl configuration mode (see the crl command).

  • default enrollment —Returns all enrollment parameters to their system default values. Invocations of this command do not become part of the active configuration.

  • email address —During enrollment, asks the CA to include the specified email address in the subject alternative name extension of the certificate.

  • enrollment protocol cmp|scep url —Specifies either CMP or SCEP enrollment to enroll with this trustpoint and configures the enrollment URL (url ).

  • enrollment retry period —Specifies a retry period in minutes for SCEP enrollment.

  • enrollment retry count —Specifies a maximum number of permitted retries for SCEP enrollment.

  • enrollment terminal —Specifies cut and paste enrollment with this trustpoint.

  • enrollment self —Specifies enrollment that generates a self-signed certificate.

  • enrollment url —Specifies the SCEP enrollment to enroll with this trustpoint and configures the enrollment URL (url ).

  • exit —Leaves the configuration mode.

  • fqdn fqdn —During enrollment, asks the CA to include the specified FQDN in the subject alternative name extension of the certificate.

  • id-cert-issuer —Deprecated. Indicates whether the system accepts peer certificates issued by the CA associated with this trustpoint.

  • id-usage — Specifies how the enrolled identity of a trustpoint can be used.

  • ip-addr ip-address —During enrollment, asks the CA to include the IP address of the ASA in the certificate.

  • keypair name —Specifies the key pair whose public key is to be certified.

  • keypair name —Specifies the keypair, as either RSA or EDCSA ,whose public key is to be certified and their modulus bits or elliptic curve bits.

  • match certificate map-name override ocsp | override cdp —Matches a certificate map to an OCSP override or CDP override rule.

  • ocsp disable-nonce —Disables the nonce extension, which cryptographically binds revocation requests with responses to avoid replay attacks.

  • ocsp url —Specifies that the OCSP server at this URL check all certificates associated with this trustpoint for revocation status.

  • exit —Leaves the configuration mode.

  • password string —Specifies a challenge phrase that is registered with the CA during enrollment. The CA typically uses this phrase to authenticate a subsequent revocation request.

  • revocation check —Specifies the revocation checking method, which includes CRL, OCSP, and none.

  • serial-number —During enrollment, asks the CA to include the ASA serial number in the certificate.

  • subject-name X.500 name —During enrollment, asks the CA to include the specified subject DN in the certificate. If a DN string includes a comma, enclose the value string with double quotes (for example, O=”Company, Inc.”)

  • support-user-cert-validation —Deprecated. If enabled, the configuration settings to validate a remote user certificate can be taken from this trustpoint, provided that it is authenticated to the CA that issued the remote certificate. This option applies to the configuration data associated with the subcommands crl required | optional | nocheck and all settings in the CRL mode.

  • validation-policy —Specifies trustpoint conditions for validating certificates associated with user connections.


Note


When you try to connect, a warning occurs to indicate that the trustpoint does not contain an ID certificate when an attempt is made to retrieve the ID certificate from the trustpoint.

Examples

The following example enters ca trustpoint configuration mode for managing a trustpoint named central:


ciscoasa(config)# crypto ca trustpoint 
central
ciscoasa(ca-trustpoint)#

crypto ca trustpool export

To export the certificates that constitute the PKI trustpool, use the crypto ca trustpool export command in privileged EXEC configuration mode.

crypto ca trustpool export filename

Syntax Description

filename

The file in which to store the exported trustpool certificates.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

This command copies the entire contents of the active trustpool to the indicated filepath in pem-coded format.

Examples


ciscoasa# crypto ca trustpool export disk0:/exportfile.pem
Trustpool certificates exported to disk0:/exportfile.pem
ciscoasa#
ciscoasa# more exportfile.pem
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
<More>

crypto ca trustpool import

To import the certificates that constitute the PKI trustpool, use the crypto ca trustpool import command in global configuration mode.

crypto ca trustpool import [ clean ] url url [ noconfirm [ signature-required ] ]

Syntax Description

clean

Removes all downloaded trustpool certificates prior to import.

noconfirm

Suppresses all interactive prompts.

signature-required

Indicates that only signed files are accepted.

url

The location of the trustpool file to be imported.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

9.12(1)

The option to use the ASA’s default trusted CA list was removed.

Usage Guidelines

This command provides the ability to validate the signature on the file when a trustpool bundle is downloaded from cisco.com. A valid signature is not mandatory when downloading bundles from other sources or in a format that does not support signatures. Users are informed of the signature status and are given the option to accept the bundle or not.

The possible interactive warnings are:

  • Cisco bundle format with invalid signature

  • Non-cisco bundle format

  • Cisco bundle format with valid signature

The signature-required keyword is allowed only if the noconfirm option is selected. If the signature-required keyword is included but the signature is not present or cannot be verified, the import fails.


Note


Unless you have verified the legitimacy of the file through some other means, do not install the certificates if a file signature cannot be verified,

The following example shows the behavior of the crypto ca trustpool import command when suppressing interactive prompting and requiring signatures:

ciscoasa(config)# crypto ca trustpool import url ?

configure mode commands/options:disk0: Import from disk0: file systemdisk1: Import from disk1: file systemflash: Import from flash: file systemftp: Import from ftp: file systemhttp: Import from http: file systemhttps: Import from https: file systemsmb: Import from smb: file systemsystem: Import from system: file systemtftp: Import from tftp: file system

ciscoasa(config)# crypto ca trustpool import url http://mycompany.com ? exec mode commands/options:noconfirm Specify this keyword to suppress all interactive prompting.

ciscoasa(config)# crypto ca trustpool import url http://mycompany.com noconfirm ? exec mode commands/options:signature-required Indicate that only signed files will be accepted

crypto ca trustpool policy

To enter a submode that provides the commands that define the trustpool policy, use the crypto ca trustpool policy command in global configuration mode. To set up the automatic import of a trustpool certificate bundle, specify the URL which the ASA uses to download and import the bundle.

crypto ca trustpool policy

Syntax Description

This command has no arguments or keywords.

auto-import

Configure automatic import of trustpool certificates

auto-import [time <H:M:S>] [url <URL address>]

Set custom time and custom URL for downloading certificates in trustpool if you need to schedule this download during off peak hours or any other convenient times.

auto-import time

Specify the download time in hours, minutes, and seconds. An attempt is made for every 24 hours at this specified time. If not provided, the default time of 22:00 hours is used.

auto-import url

Specify automatic import of trustpool certificates. If not provided, the default Cisco URL is used.

Command Default

No default behavior or values.

The automatic import option is turned off by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Object Configuration

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

9.5(2)

The auto-import command option was added.

Examples

ciscoasa(config)# crypto ca trustpool ?

configure mode commands/options: policy Define trustpool policy

ciscoasa(config)# crypto ca trustpool policy ciscoasa(config-ca-trustpool)# ?

CA Trustpool configuration commands:crl CRL optionsexit Exit from certificate authority trustpool entry modematch Match a certificate mapno Negate a command or set its defaultsrevocation-check Revocation checking options

auto-import Configure automatic import of trustpool certificatesciscoasa(config-ca-trustpool)#

ciscoasa(config-ca-trustpool)# auto-import?

crypto-ca-trustpool mode commands/options:

time Specify the auto import time in hours, minutes, and secondsDefault is 22:00:00. An attempt is made every 24 hours at the specified time.url Specify the HTTP based URL address for automatic import of trustpool certificates

<cr>

ciscoasa(config-ca-trustpool)#

ciscoasa(config-ca-trustpool)# auto-import url ?

crypto-ca-trustpool mode commands/options:LINE URL for automatic importciscoasa(config-ca-trustpool)#

ciscoasa(config-ca-trustpool)# auto-import time ?H:M:S Specify the auto import time in hours, minutes & seconds. E.g. 18:00:00 (attempt to import is made at every 24 hours at 6PM)ciscoasa(config-ca-trustpool)#

crypto ca trustpool remove

To remove a single specified certificate from the PKI trustpool, use the crypto ca trustpool remove command in privileged EXEC configuration mode.

crypto ca trustpool remove cert fingerprint [ noconfirm ]

Syntax Description

cert fingerprint

Hex data.

noconfirm

Specify this keyword to suppress all interactive prompting.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC configuration

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

Because this command will commit a change to the trusted root certificate content, interactive users will be prompted to confirm their actions.

Examples


ciscoasa# crypto ca trustpool remove ?
  Hex-data  Certificate fingerprint
ciscoasa# crypto ca trustpool remove 497904b0eb8719ac47b0bc11519b74d0 ?
noconfirm  Specify this keyword to suppress all interactive prompting.

crypto dynamic-map match address

To match the address of an access list for the dynamic crypto map entry, use the crypto dynamic-map match address command in global configuration mode. To disable the address match, use the no form of this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name

no crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name

Syntax Description

acl-name

Identifies the access list to be matched for the dynamic crypto map entry.

dynamic-map-name

Specifies the name of the dynamic crypto map set.

dynamic-seq-num

Specifies the sequence number that corresponds to the dynamic crypto map entry.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

For a dynamic crypto map (with the crypto dynamic-map command), the access-list command is not required but is strongly recommended.

Use the access-list command to define the access lists. The access list hit counts only increase when the tunnel initiates. After the tunnel is up, the hit counts do not increase on a per-packet flow. If the tunnel drops and then reinitiates, the hit count will increase.

The ASA uses the access lists to differentiate the traffic to protect with IPsec crypto from the traffic that does not need protection. It protects outbound packets that match a permit ACE, and ensures that inbound packets that match a permit ACE have protection.

See the crypto map match address command for additional information about this command.

Examples

The following example shows the use of the crypto dynamic-map command to match address of an access list named aclist1:


ciscoasa(config)# crypto dynamic-map mymap 10 match address aclist1
ciscoasa(config)# 

crypto dynamic-map set df-bit

To set the per-signature algorithm (SA) do-not-fragment (DF) policy, use the crypto dynamic-map set df-bit command in global configuration mode. To disable the DF policy, use the no form of this command.

crypto dynamic-map name priority set df-bit [ clear-df | copy-df | set-df ]

no crypto dynamic-map name priority set df-bit [ clear-df | copy-df | set-df ]

Syntax Description

name

Specifies the name of the crypto dynamic map set.

priority

Specifies the priority that you assign to the crypto dynamic map entry.

Command Default

The default setting is off.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

The original DF policy command is retained and acts as a global policy setting on an interface, but it is superseded for an SA by the crypto map command.

crypto dynamic-map set ikev1 transform-set

To specify the IKEv1 transform sets to use in a dynamic crypto map entry, use the crypto dynamic-map set ikev1 transform-set command in global configuration mode.

crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev1 transform-set transform-set-name1 [ ...transform-set-name11 ]

To remove the transform sets from the dynamic crypto map entry, specify the transform set name in the no form of this command:

no crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev1 transform-set transform-set-name1 [ ...transform-set-name11 ]

To remove the dynamic crypto map entry, use the no form of the command and specify all or none of the transform sets:

no crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev1 transform-set

Syntax Description

dynamic-map-name

Specifies the name of the dynamic crypto map set.

dynamic-seq-num

Specifies the sequence number that corresponds to the dynamic crypto map entry.

transform-set-name1 transform-set-name11

Specifies one or more names of the transform sets. Any transform sets named in this command must be defined in the crypto ipsec ikev1 transform-set command. Each crypto map entry supports up to 11 transform sets.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0

This command was added.

7.2(1)

Changed the maximum number of transform sets in a crypto map entry.

8.4(1)

Added the ikev1 keyword.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

A dynamic crypto map is a crypto map without all of the parameters configured. It acts as a policy template where the missing parameters are later dynamically learned, as the result of an IPsec negotiation, to match the peer requirements. The ASA applies a dynamic crypto map to let a peer negotiate a tunnel if its IP address is not already identified in a previous static or dynamic crypto map. This occurs with the following types of peers:

  • Peers with dynamically assigned public IP addresses.

Both LAN-to-LAN and remote access peers can use DHCP to obtain a public IP address. The ASA uses this address only to initiate the tunnel.

  • Peers with dynamically assigned private IP addresses.

Peers requesting remote access tunnels typically have private IP addresses assigned by the headend. Generally, LAN-to-LAN tunnels have a predetermined set of private networks that are used to configure static maps and therefore used to establish IPsec SAs.

As an administrator configuring static crypto maps, you might not know the IP addresses that are dynamically assigned (via DHCP or some other method), and you might not know the private IP addresses of other clients, regardless of how they were assigned. VPN clients typically do not have static IP addresses; they require a dynamic crypto map to allow IPsec negotiation to occur. For example, the headend assigns the IP address to a Cisco VPN client during IKE negotiation, which the client then uses to negotiate IPsec SAs.

Dynamic crypto maps can ease IPsec configuration and we recommend them for use in networks where the peers are not always predetermined. Use dynamic crypto maps for Cisco VPN clients (such as mobile users) and routers that obtain dynamically assigned IP addresses.


Tip


Use care when using the any keyword in permit entries in dynamic crypto maps. If the traffic covered by such a permit entry could include multicast or broadcast traffic, insert deny entries for the appropriate address range into the access list. Remember to insert deny entries for network and subnet broadcast traffic, and for any other traffic that IPsec should not protect.


Dynamic crypto maps work only to negotiate SAs with remote peers that initiate the connection. The ASA cannot use dynamic crypto maps to initiate connections to a remote peer. With a dynamic crypto map configured, if the outbound traffic matches a permit entry in an access list and the corresponding SA does not yet exist, the ASA drops the traffic.

A crypto map set may include a dynamic crypto map. Dynamic crypto map sets should be the lowest priority crypto maps in the crypto map set (that is, they should have the highest sequence numbers) so that the ASA evaluates other crypto maps first. It examines the dynamic crypto map set only when the other (static) map entries do not match.

Similar to static crypto map sets, a dynamic crypto map set consists of all of the dynamic crypto maps with the same dynamic map name. The dynamic sequence number differentiates the dynamic crypto maps in a set. If you configure a dynamic crypto map, insert a permit ACL to identify the data flow of the IPsec peer for the crypto access list. Otherwise the ASA accepts any data flow identity the peer proposes.


Caution


Do not assign static (default) routes for traffic to be tunneled to a ASA interface configured with a dynamic crypto map set. To identify the traffic that should be tunneled, add the ACLs to the dynamic crypto map. Use care to identify the proper address pools when configuring the ACLs associated with remote access tunnels. Use Reverse Route Injection to install routes only after the tunnel is up.


You can combine static and dynamic map entries within a single crypto map set.

Examples

The following example creates a dynamic crypto map entry named “dynamic0” consisting of the same ten transform sets.


ciscoasa(config)# crypto dynamic-map dynamic0 1 set 
ikev1 
transform-set 3des-md5 3des-sha 56des-md5 56des-sha 128aes-md5 128aes-sha 192aes-md5 192aes-sha 256aes-md5 256aes-sha
ciscoasa(config)#

crypto dynamic-map set ikev2 ipsec-proposal

To specify the IPsec proposals for IKEv2 to use in a dynamic crypto map entry, use the crypto dynamic-map set ikev2 ipsec-proposal command in global configuration mode. To remove the names of the transform sets from a dynamic crypto map entry, use the no form of this command.

crypto dynamic-map dynamic-map-name set ikev2 ipsec-proposal transform-set-name 1 [ ...transform-set-name11 ]

no crypto dynamic-map dynamic-map-name set ikev2 ipsec-proposal transform-set-name 1 [ ...transform-set-name11 ]

Syntax Description

dynamic-map-name

Specifies the name of the dynamic crypto map set.

transform-set-name1 transform-set-name11

Specifies one or more names of the transform sets. Any transform sets named in this command must be defined in the crypto ipsec ikev2 transform-set command. Each crypto map entry supports up to 11 transform sets.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

crypto dynamic-map set nat-t-disable

To disable NAT-T for connections based on this crypto map entry, use the crypto dynamic-map set nat-t-disable command in global configuration mode. To enable NAT-T for this crypto may entry, use the no form of this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num set nat-t-disable

no crypto dynamic-map dynamic-map-name dynamic-seq-num set nat-t-disable

Syntax Description

dynamic-map-name

Specifies the name of the crypto dynamic map set.

dynamic-seq-num

Specifies the number that you assign to the crypto dynamic map entry.

Command Default

The default setting is off.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

Use the isakmp nat-traversal command to globally enable NAT-T. Then you can use the crypto dynamic-map set nat-t-disable command to disable NAT-T for specific crypto map entries.

Examples

The following command disables NAT-T for the crypto dynamic map named mymap:


ciscoasa(config)# crypto dynamic-map mymap 10 set nat-t-disable
ciscoasa(config)#

crypto dynamic-map set peer

See the crypto map set peer command for additional information about this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num set peer ip_address | hostname

no crypto dynamic-map dynamic-map-name dynamic-seq-num set peer ip_address | hostname

Syntax Description

dynamic-map-name

Specifies the name of the dynamic crypto map set.

dynamic-seq-num

Specifies the sequence number that corresponds to the dynamic crypto map entry.

hostname

Identifies the peer in the dynamic crypto map entry by hostname, as defined by the name command.

ip_address

Identifies the peer in the dynamic crypto map entry by IP address, as defined by the name command.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Examples

The following example shows setting a peer for a dynamic-map named mymap to the IP address 10.0.0.1:


ciscoasa(config)# crypto dynamic-map mymap 10 set peer 10.0.0.1
ciscoasa(config)#

crypto dynamic-map set pfs

To set IPsec to ask for PFS when requesting new security associations for this dynamic crypto map entry or that IPsec requires PFS when receiving requests for new security associations, use the crypto dynamic-map set pfs command in global configuration mode. To specify that IPsec should not request PFS, use the no form of this command.

crypto dynamic-map map-name map-index set pfs [ group1 | group2 | group5 | group14 | group19 | group20 | group21 | group24 ]

no crypto dynamic-map map-name map-index set pfs [ group1 | group2 | group5 | group14 | group19 | group20 | group21 | group24 ]

Syntax Description

group14

Specifies which Diffie-Hellman key exchange group to use.

group15

Specifies which Diffie-Hellman key exchange group to use.

group16

Specifies which Diffie-Hellman key exchange group to use.

group19

Specifies which Diffie-Hellman key exchange group to use.

group20

Specifies which Diffie-Hellman key exchange group to use.

group21

Specifies which Diffie-Hellman key exchange group to use.

group24

Specifies which Diffie-Hellman key exchange group to use.

map-name

Specifies the name of the crypto map set.

map-index

Specifies the number you assign to the crypto map entry.

Command Default

By default, PFS is not set.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was modified to add Diffie-Hellman group 7.

8.0(4)

The group 7 command option was deprecated. Attempts to configure group 7 will generate an error message and use group 5 instead.

9.0(1)

Support for multiple context mode was added.

9.12(1)

Support was removed for DH group 1. The group 1 commands was deprecated.

9.13(1)

Support for group14, 15, and 16 command option was added. The group 2 and group 5 commands were deprecated and will be removed in later releases.

9.15(1)

Support for group 1, 2, 5 and 24 command options is removed in this release.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised.

The crypto dynamic-map commands, such as match address , set peer , and s et pfs are described with the crypto map commands. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation fails. If the local configuration does not specify a group, the ASA assumes a default of group2. If the local configuration does not specify PFS, it accepts any offer of PFS from the peer.

When interacting with the Cisco VPN Client, the ASA does not use the PFS value, but instead uses the value negotiated during Phase 1.

Examples

The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto dynamic-map mymap 10. The group specified is group 2:


ciscoasa(config)# crypto dynamic-map mymap 10 set pfs group2
The following example specifies support for group14:
ciscoasa(config)# crypto dynamic-map mymap 10 set pfs groyp14
ciscoasa(config)# crypto dynamic-map mymap 10 set pfs group2 (DEPRECATED)

crypto dynamic-map set reverse route

See the crypto map set reverse-route command for additional information about this command.

crypto dynamic-map dynamic-map-name dynamic-seq-num set reverse route

no crypto dynamic-map dynamic-map-name dynamic-seq-num set reverse route

Syntax Description

dynamic-map-name

Specifies the name of the crypto map set.

dynamic-seq-num

Specifies the number you assign to the crypto map entry.

Command Default

The default value for this command is off.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Examples

The following command enables Reverse Route Injection for the crypto dynamic map named mymap:


ciscoasa(config)# crypto dynamic-map mymap 10 set reverse route
ciscoasa(config)#

crypto dynamic-map set security-association lifetime

To override (for a particular dynamic crypto map entry) the global lifetime value, which is used when negotiating IPsec security associations, use the crypto dynamic-map set security-association lifetime command in global configuration mode. To reset a dynamic crypto map entry's lifetime value to the global value, use the no form of this command.

crypto dynamic-map map-name seq-num set security-association lifetime { seconds number | kilobytes { number | unlimited } }

no crypto dynamic-map map-name seq-num set security-association lifetime { seconds number | kilobytes { number | unlimited } }

Syntax Description

kilobytes {number | unlimited }

Specifies the volume of traffic (in kilobytes) that can pass between peers using a given security association before that security association expires. The range is 10 to 2147483647 kbytes. The global default is 4,608,000 kilobytes.

This setting does not apply to remote access VPN connections. It applies to site-to-site VPN only.

map-name

Specifies the name of the crypto map set.

seconds number

Specifies the number of seconds a security association will live before it expires. The range is 120 to 214783647 seconds. The global default is 28,800 seconds (eight hours).

This setting applies to both remote access and site-to-site VPN.

seq-num

Specifies the number that you assign to the crypto map entry.

Command Default

The default number of kilobytes is 4,608,000; the default number of seconds is 28,800.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes