Adding an Identity Certificate Object Using PKCS12

The Enrollment step is set to Terminal.

A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file. Enter the Passphrase value for decryption.

In the Revocation tab, you can configure the following:

• Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking.

  By default the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate.

  Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available.

• Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking.

  OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://.

  Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension.

  Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP.

• Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable.

  For more information on revocation check, see the "Digital Certificates" chapter in the " Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document.

Click the Others tab:

• Use CA Certificate for the Validation of — Specify the type of connections that can be validated by this CA.

  • IPSec Client — Validates certificate presented by remote SSL servers.

  • SSL Client — Validates certificates presented by incoming SSL connections.

  • SSL Server — Validates certificates presented by incoming IPSec connections.

• Use Identity Certificate for — Specify how the enrolled ID certificate can be used.

  • SSL & IPSec — Use for authenticating SSL & IPSec connections

  • Code Signer — Code signer certificates are special certificates whose associated private keys are used to create digital signatures. The certificates used to sign code are obtained from a CA, with the signed code itself revealing the certificate origin.

• Other Options:

  • Enable CA flag in basic constraints extension — Select this option if this certificate should be able to sign other certificates. The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension.

  • Accept certificates issued by this CA — Select this option to indicate that the ASA should accept certificates from the specified CA.

  • Ignore IPSec Key Usage — Select this option if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default, this option is not enabled.