Retrieving certificate authorities (CAs) with the PIX Firewall uses almost exactly the same method as that used on routers. The following are the commands used to obtain a CA. Note that these commands might not show in a configuration. The administrator should avoid rebooting the PIX during this sequence. The steps are explained as they are shown.
First, define your identity and the IP address of the interface to be used for the CA. Also configure the timeout of retries used to gain the certificate and the number of retries.
ca identity bigcompany.com 172.30.1.1 ca configure bigcompany.com ca 2 100
Generate the RSA key used for this certificate.
ca generate rsa key 512
Then get the public key and certificate.
ca authenticate bigcompany.com
Next, request the certificate, and finally, save the configuration.
ca enroll bigcompany.com enrollpassword ca save all
At this point, you have saved your certificates to the flash memory and are able to use them. The configuration for using an existing CA is as follows:
domain-name bigcompany.com isakmp enable outside isakmp policy 8 auth rsa-signature ca identity example.com 172.30.1.1 ca generate rsa key 512 access-list 60 permit ip 10.1.2.0 255.255.255.0 crypto map chicagotraffic 20 ipsec-isakmp crypto map chicagotraffic 20 match address 60 crypto map chicagotraffic 20 set transform-set strong crypto map chicagotraffic 20 set peer 172.30.1.2 crypto map chicagotraffic interface outside sysopt connection permit-ipsec
3.146.34.146