ASA Local CA Depreciated: Use Windows CA

KB ID 0001616


I got an email about this last night, I rarely ever use the ASA as a Local CA, But that has now been completely depreciated, (post version 9.12(x)) The documentation tells us;

Local CA server is deprecated in 9.12(1), and will be removed in a later release—When ASA is configured as local CA server, it is enabled to issue digital certificates, publish Certificate Revocation Lists (CRLs), and securely revoke issued certificates. This feature has become obsolete and hence the crypto CA server command is deprecated.

OK, so if you want to ‘self sign’ certificates then you can use Microsoft Certificate Services. 


Setting up Microsoft Certificate Services is a subject I’ve ‘done to death’ see the following article;

Microsoft PKI Planning and Deploying Certificate Services

What about user/computer certificates? See the following article.

Deploying Certificates via ‘Auto Enrollment’

Can I automate this? Yes use NDES.

Cisco ASA – Enrolling for Certificates with NDES

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *