Filter
Top Products
25-60
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
Certificate Auto-Enrollment
(IOS devices only.)
The percentage of the current certificate’s lifetime after which the
router requests a new certificate. For example, if you enter 70, the
router requests a new certificate after 70% of the lifetime of the current
certificate has been reached. Values range from 10% to 100%.
If you do not specify a value, the router requests a new certificate after
the old certificate expires.
Include Device’s Serial
Number
Whether to include the serial number of the device in the certificate.
Tip The CA uses the serial number to either authenticate certificates
or to later associate a certificate with a particular device. If you
are in doubt, include the serial number, as it is useful for
debugging purposes.
RSA Key Pair Name
(PIX 7.0+, ASA, IOS devices
only.)
If the key pair you want to associate with the certificate already exists,
this field specifies the name of that key pair.
If the key pair does not exist, this field specifies the name to assign to
the key pair that will be generated during enrollment.
Note If you do not specify an RSA key pair, the fully qualified
domain name (FQDN) key pair is used instead. On PIX and
ASA devices, the key pair must exist on the device before
deployment.
RSA Key Size
(IOS devices only.)
If the key pair does not exist, defines the desired key size (modulus), in
bits. If you want a modulus between 512 and 1024, enter an integer that
is a multiple of 64. If you want a value higher than 1024, enter 1536 or
2048. The recommended size is 1024.
Note The larger the modulus size, the more secure the key. However,
keys with larger modulus sizes take longer to generate (a
minute or more when larger than 512 bits) and longer to process
when exchanged.
RSA Encryption Key Size
(IOS devices only.)
The size of the second key, which is used to request separate
encryption, signature keys, and certificates.
Source Interface
(IOS devices only.)
The source address for all outgoing connections sent to a CA or LDAP
server during authentication, enrollment, and when obtaining a
revocation list. This parameter may be necessary when the CA server
or LDAP server cannot respond to the address from which the
connection originated (for example, due to a firewall).
If you do not define a value in this field, the address of the outgoing
interface is used.
Enter the name of an interface or interface role, or click Select to select
it. If the object that you want is not listed, click the Create button to
create it.
Table 25-12 PKI Enrollment Dialog Box—Enrollment Parameters Tab (Continued)
Element Description