Create CSR and Install certificate in Cisco ASA Firewall

zero comment
Cisco Cisco ASA

Generate CSR via Cisco ASA CLI Commands

1. Before generating a CSR request, you must create a private key

(config)# crypto key generate rsa label itadminguide.key modulus 2048
INFO: The name for the keys will be:itadminguide.key
Keypair generation process begin. Please wait...

2. Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR.

(config)# crypto ca trustpoint my.digicert.trustpoint

3. Provide your CSR attributes to your trustpoint

(config-ca-trustpoint)# subject-name CN=vpn.itadminguide.com, OU=IT, O=Oracle Corporate Limited, C=ZH, St=Switzerland, L=Zurich

When you get error like ‘The subject name must be in X.500 (LDAP) format. Check if C has 2 letters area code and not full state name.

4. Specify Key pair that is created in Step 1

(config-ca-trustpoint)# keypair itadminguide.key

5. Specify the COMMON NAME for your certificate request, example vpn.itadminguide.com. You can specify your preferred domain name for AnyConnect.

(config-ca-trustpoint)# fqdn vpn.itadminguide.com

6. Specify manual enrollment

(config-ca-trustpoint)# enrollment terminal

7. exit

8. Generate CSR, copy and share with the CA or third-party certificate provider such as DigiCert or Entrust.

All in One WordPress Hosting Starts at 30$ per month
All in One WordPress Hosting
WordPress
High optimized WordPress hosting, secure firewall, HTTPS, Backup, hack-fix guarantee and many others at 30$ per month
Go to the deal
(config) # crypto ca enroll my.digicert.trustpoint

WARNING: The certificate enrollment is configured with an fgdn 
that differs from the system fgdn. If this certificate will be 
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no] : yes

Start certificate enrollment 
The subject name in the certificate will be: CN=vpn.itadminguide.com, OU=IT, O=Oracle Corporate Limited, C=ZH, St=Switzerland, L=Zurich

The fully—qualified domain name in the certificate will be: vpn.itadminguide.com

Include the device serial nu_mber in the subject name? [yes/no] : no

Display Certificate Request to terminal? [yes/no] : yes

Certificate Request follows:

-BEGIN CERTIFICATE REQUEST--- 
-END CERTIFICATE REQUEST-----

 

Install SSL Certificate via ASDM

 

Configure WebVPN to use the SSL certificate

(config)# ssl trust-point my.digicert.trustpoint outside
(config)# exit
#wr me

 

Troubleshooting

# show crypto ca certificates

# show run ssl

Cisco ASA Anyconnect SSL Cisco ASA CSR

Administrator

Related Articles

OSI & TCP/IP Layer Model
Read More
Configure SNMPv3 on Cisco Switch
Read More
Difference Between SNMP V1, V2c and V3
Read More