01-30-2019 06:48 AM - edited 02-21-2020 08:43 AM
When generating self-signed certs they default to 10yrs lifetime, is there a way to amend this on self-signed certs at all?
I know can do a CSR and get that via a CA, but wanting to know if possible with a self-signed cert or not please, been searching online ages and unable to find any info.
thanks in advance
01-31-2019 01:01 AM
Hi Andrey,
By amending you mean increasing the lifetime of the Cert ?
I don't think you can because when a certificate is generated, you can not modify it at all ( you need to create a brand new one if you want additional attributes).
Actually you don't need to create a self-signed certificate, let's say for ASDM access, ASA generates a temporary self-signed for you.
Hope this helps.
Please rate
01-31-2019 03:39 AM
Thanks for the reply Bern
Basically ASA has a vpn using a trustpoint with a self-signed cert, 10yrs expiry.
A machine on the end of it creates VPN, ASA presents its ss-cert (of which the connecting machine has a copy of in its Trusted CA list), is happy, connects.
An external scan company here is applying the rules of Ballot187/193, which is Subscriber certs issued by CAs must be less than 825days against this self-signed cert which isn't a Subscriber cert from a CA and expires in more than 825 days.
Instead of arguing with them on it it's easier for me to just regenerate the certs and amend the lifetime, so wondering if there was a way on the ASA to do this but looked to me like you can only choose CN, RSA keys/encryption and then it generates it always as a 10yr expiry.
So yeah, that. If not possible then I'm prepared to go the Trusted CA root, or run up a Microsoft CA/OpenSSL scenario to sign a CSR and choose the lifetime.
thanks to anyone reading, if anyone knows if you can amend the lifetime of a ss-cert when generating on the ASA please do let me know
kind rgds
Andrew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: