Create CSR and Install certificate in Cisco ASA Firewall


Generate CSR via Cisco ASA CLI Commands

1. Before generating a CSR request, you must create a private key

(config)# crypto key generate rsa label itadminguide.key modulus 2048
INFO: The name for the keys will be:itadminguide.key
Keypair generation process begin. Please wait...

2. Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR.

(config)# crypto ca trustpoint my.digicert.trustpoint

3. Provide your CSR attributes to your trustpoint

(config-ca-trustpoint)# subject-name, OU=IT, O=Oracle Corporate Limited, C=ZH, St=Switzerland, L=Zurich

When you get error like ‘The subject name must be in X.500 (LDAP) format. Check if C has 2 letters area code and not full state name.

4. Specify Key pair that is created in Step 1

(config-ca-trustpoint)# keypair itadminguide.key

5. Specify the COMMON NAME for your certificate request, example You can specify your preferred domain name for AnyConnect.

(config-ca-trustpoint)# fqdn

6. Specify manual enrollment

(config-ca-trustpoint)# enrollment terminal

7. exit

8. Generate CSR, copy and share with the CA or third-party certificate provider such as DigiCert or Entrust.

(config) # crypto ca enroll my.digicert.trustpoint

WARNING: The certificate enrollment is configured with an fgdn 
that differs from the system fgdn. If this certificate will be 
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no] : yes

Start certificate enrollment 
The subject name in the certificate will be:, OU=IT, O=Oracle Corporate Limited, C=ZH, St=Switzerland, L=Zurich

The fully—qualified domain name in the certificate will be:

Include the device serial nu_mber in the subject name? [yes/no] : no

Display Certificate Request to terminal? [yes/no] : yes

Certificate Request follows:



Install SSL Certificate via ASDM


Configure WebVPN to use the SSL certificate

(config)# ssl trust-point my.digicert.trustpoint outside
(config)# exit
#wr me



# show crypto ca certificates

# show run ssl


Related Articles & Comments

Menu Title
%d bloggers like this: