Specifications
6-10
Cisco PIX Firewall and VPN Configuration Guide
78-15033-01
Chapter 6 Configuring IPSec and Certification Authorities
Using Certification Authorities
Follow these steps to enable your PIX Firewall to interoperate with a CA and obtain your PIX Firewall
certificate(s):
Step 1 Configure the PIX Firewall host name:
hostname newname
For example:
hostname mypixfirewall
In this example, “mypixfirewall” is the name of a unique host in the domain.
Step 2 Configure the PIX Firewall domain name:
domain-name name
For example:
domain-name example.com
Step 3 Generate the PIX Firewall RSA key pair(s):
ca generate rsa key key_modulus_size
For example:
ca generate rsa key 512
In this example, one general purpose RSA key pair is to be generated. The other option is to generate
two special-purpose keys. The selected size of the key modulus is 512.
Step 4 (Optional) View your RSA key pair(s):
show ca mypubkey rsa
The following is sample output from the show ca mypubkey rsa command:
show ca mypubkey rsa
% Key pair was generated at: 15:34:55 Aug 05 1999
Key name: mypixfirewall.example.com
Usage: General Purpose Key
Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c31f4a ad32f60d
6e7ed9a2 32883ca9 319a4b30 e7470888 87732e83 c909fb17 fb5cae70 3de738cf
6e2fd12c 5b3ffa98 8c5adc59 1ec84d78 90bdb53f 2218cfe7 3f020301 0001
Step 5 Declare a CA:
ca identity ca_nickname ca_ipaddress [:ca_script_location] [ldap_ip address]
For example:
ca identity myca.example.com 209.165.202.130
In this example, 209.165.202.130 is the IP address of the CA. The CA name is myca.example.com.
Note The CA may require a particular name for you to use, such as its domain name. When using
VeriSign as your CA, VeriSign assigns the CA name you are to use in your CA configuration.