Configuring CA Parameters
The abutting step, to configure CA parameters, is able application the following
command:
ca configure
[crloptional]
This command specifies whether ca_nickname is a CA or a registration
authority (RA). Some systems use an RA, which the firewall uses instead of a
CA. An RA is somewhat like a proxy for the CA but is rarely acclimated in small-tomedium-
sized networks.The command additionally specifies the cardinal of retries that
the PIX should accomplish back aggravating to acquaintance this ascendancy and the timeout
between requests (in minutes).The crloptional constant tells the PIX to skip
checking certificates adjoin the CRL if the CRL is unavailable. If crloptional is
not defined but the CRL is unavailable, the peer’s affidavit will be rejected.
NOTE
Always use the crloptional constant with both accessible and in-house
versions of VeriSign CAs, because they do not accommodate a CRL at all.
We will use the following:
PIX1(config)# ca configure verisign ca 1 20 crloptional
PIX2(config)# ca configure verisign ca 1 20 crloptional
This agency that the ascendancy ahead articular as verisign is a CA, it does
not abutment CRLs, and the PIX should retry 20 times with the adjournment of 1 minute
before giving up on the affiliation to this CA.To appearance the CA configuration
settings, use the appearance ca configure command.