ASA Local CA Depreciated: Use Windows CA

Home » ASA » ASA Local CA Depreciated: Use Windows CA

KB ID 0001616

Problem

I got an email about this last night, I rarely ever use the ASA as a Local CA, But that has now been completely depreciated, (post version 9.12(x)) The documentation tells us;

Local CA server is deprecated in 9.12(1), and will be removed in a later release—When ASA is configured as local CA server, it is enabled to issue digital certificates, publish Certificate Revocation Lists (CRLs), and securely revoke issued certificates. This feature has become obsolete and hence the crypto CA server command is deprecated.

OK, so if you want to ‘self sign’ certificates then you can use Microsoft Certificate Services.

Solution

<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>

Setting up Microsoft Certificate Services is a subject I’ve ‘done to death’ see the following article;

Microsoft PKI Planning and Deploying Certificate Services

What about user/computer certificates? See the following article.

Deploying Certificates via ‘Auto Enrollment’

Can I automate this? Yes use NDES.

Cisco ASA – Enrolling for Certificates with NDES

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Submit a Comment Cancel reply