Obtaining Certificate Authorities (CAs)

Retrieving certificate authorities (CAs) with the PIX Firewall uses almost exactly the same method as that used on routers. The following are the commands used to obtain a CA. Note that these commands might not show in a configuration. The administrator should avoid rebooting the PIX during this sequence. The steps are explained as they are shown.

First, define your identity and the IP address of the interface to be used for the CA. Also configure the timeout of retries used to gain the certificate and the number of retries.

ca identity bigcompany.com 172.30.1.1
ca configure bigcompany.com ca 2 100

Generate the RSA key used for this certificate.

ca generate rsa key 512

Then get the public key and certificate.

ca authenticate bigcompany.com

Next, request the certificate, and finally, save the configuration.

ca enroll bigcompany.com enrollpassword
ca save all

At this point, you have saved your certificates to the flash memory and are able to use them. The configuration for using an existing CA is as follows:

domain-name bigcompany.com
isakmp enable outside
isakmp policy 8 auth rsa-signature
ca identity example.com 172.30.1.1
ca generate rsa key 512
access-list 60 permit ip 10.1.2.0 255.255.255.0
crypto map chicagotraffic 20 ipsec-isakmp
crypto map chicagotraffic 20 match address 60
crypto map chicagotraffic 20 set transform-set strong
crypto map chicagotraffic 20 set peer 172.30.1.2
crypto map chicagotraffic interface outside
sysopt connection permit-ipsec