GENERATE CSR AND INSTALL CERTIFICATE – CISCO ASA 5500

 

CREATE CSR

Generating a Certificate Signing Request (CSR) on a Cisco ASA 5500 VPN/Firewall

Article Purpose:  This article provides step-by-step instructions for generating a Certificate Signing Request (CSR) on a Cisco ASA 5500 VPN/Firewall. If this is not the solution you are looking for, please search for your solution in the search bar above.

  • From the Cisco Adaptive Security Device Manager (ASDM) select Configuration and then Device Management.
  • Expand Certificate Management then select Identity Certificates. Click Add.
  • Select Add a New Identity Certificate. Click New… for the Key Pair.

  • Select Enter New Key Pair Name and enter any name for the key pair. Make sure the key size is “2048” and the usage is selected for ‘General purpose’. Click Generate Now to create your key pair.

Next you will define the Certificate Subject DN by clicking Select to the right of that field. In the Certificate Subject DN window, configure the following values by selecting each from the Attribute drop-down list, entering the appropriate value, and clicking Add.
CN – The name through which the firewall will be accessed (usually the Fully Qualified Domain Name, e.g., vpn.domain.com).

OU – The name of your department within the organization (frequently this entry will be listed as ‘IT’, ‘Web Security’, or is simply left blank).

O – The legally registered name of your organization/company.

C – Your country’s two-digit code.

ST – The state in which your organization is located.

L – The city in which your organization is located.?

  • Click Advanced in the Add Identity Certificate window.

  • In the FQDN field, type in the Fully Qualified Domain Name through which the device will be accessed externally, e.g., vpn.domain.com (or the same name as was entered in the CN value in Step 5).
  • Click OK and then Add Certificate. You will be prompted to save your newly created CSR information as a text file with a ‘.txt’ extension.

Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it, including the beginning and end tags, into the online order process when prompted.

INSTALL CERTIFICATE

Installing Your Certificate on a Cisco ASA 5500 VPN/Firewall

Article Purpose: This article provides step-by-step instructions for installing your certificate on a Cisco ASA 5500 VPN/Firewall. If this is not the solution you are looking for, please search for your solution in the search bar above.

  • You will receive your SSL certificate and intermediate certificate by email. Copy each certificate from the email, paste each one into a separate text editor, and save the files to a safe location with a “.crt” extension (e.g., “gs_sslcertificate.crt”, “gs_intermediate.crt”).
  • In ASDM select Configuration and then Device Management.
  • Expand Certificate Management and select CA Certificates. Click Add.
  • Selected the option Install From a File. Browse to your ‘gs_intermediate.crt’ file and then click Install Certificate. Your intermediate certificate file is now installed. Next, you need to install the ‘gs_sslcertificate.crt’ file.
  • In ASDM select Configuration and then Device Management.
  • Expand Certificate Management and select Identity Certificates.
  • Select the appropriate identity certificate from when your CSR was generated (the “Issued By” field should show as not available and the “Expiry Date” field will show” Pending…”). Click Install.
  • Browse to the “gs_sslcertificate.crt” provided by GlobalSign and click Install Certificate.
    You should receive confirmation that your certificate installation was successful.

 

CONFIGURING THE WEB VPN WITH ASDM TO USE THE NEW SSL CERTIFICATE
  • In ASDM select Configuration and then Device Management.
  • Click Advanced and then SSL Settings.
  • From Certificates, choose the interface used to terminate WebVPN sessions. Click Edit.
  • From the Certificate drop-down, select the newly installed certificate. Click OK. Click Apply.

SSL CERTIFICATE INSTALLATION FROM THE CISCO ASA COMMAND LINE (ALTERNATE INSTALLATION METHOD)

  • From the ciscoasa(config)# line, enter the text:

crypto ca authenticate my.globalsign.trustpoint 

‘My.globalsign.trustpoint’ is the name of the trustpoint created when your certificate request was generated.

  • Enter the entire body of the ‘gs_intermediate.crt’ file followed by the word “quit” on a line by itself. The ‘gs_intermediate.crt’ file can be opened and edited with a standard text editor. The entire body of that file should be entered when prompted.
  • When asked to accept the certificate, enter ‘Yes’.
  • When the certificate has been successfully imported, enter ‘Exit’. Your Intermediate certificate file is now installed. You will now need to install the ‘gs_sslcertificate.crt’ file.
  • From the ciscoasa(config)# line, enter the text:

 crypto ca import my.globalsign.trustpoint certificate

‘My.globalsign.trustpoint’ is the name of the trustpoint created when your certificate request was generated.

Enter the entire body of the ‘gs_sslcertificate.crt’ file followed by the word ‘quit’ on a line by itself. The ‘gs_sslcertificate.crt’ file can be opened and edited with a standard text editor. The entire body of that file should be entered when prompted. You should receive a message that the certificate was successfully imported.

 

CONFIGURING WEB VPN TO USE THE NEW SSL CERTIFICATE FROM THE CISCO ASA COMMAND LINE
  • From the ciscoasa(config)# line, enter the text:

ssl trust-point my.globalsign.trustpoint outside wr mem

‘My.globalsign.trustpoint’ is the name of the trustpoint created when your certificate request was generated. ‘Outside’ is the name of the interface being configured.

Save the configuration.

Last updated: August 4, 2017