Articles in Root

How do I generate a CSR on Cisco ASA 7.x using ASDM?

Problem

How do I generate a CSR on Cisco ASA 7.x using ASDM?

Solution

Cisco ASA 7.x has two methods of creating and installing SSL Certificates; through command line and using the GUI.  This process describes the process using the GUI, named the ASDM (Adaptive Security Device Manager).  Creating the Certificate Signing Request is done in two steps:

Part I - Generating the Private Key

  1. Click Configuration, and then click Properties.

  2. Expand Certificate, and choose Key Pair.

  3. Click Add.

  4. Enter the key name, choose the modulus size, and select the usage type.

  5. Note: The recommended key pair size is 2048.

  6. Click Generate.

             The key pair you created should be listed in the Key Pair Name column.


Part II - Creating the Trustpoint

  1. Click Configuration, and then click Properties.

  2. Expand Certificate, and then expand Trustpoint.

  3. Choose Configuration, and click Add.

  4. Configure the Trustpoint Name. The trustpoint name should be relevant to the intended usage.

  5. Configure the Key pair: Select the key pair generated in Part I of this document.

  6. Ensure Manual Enrollment is selected.

  7. Click Certificate Parameters.

  8. In the Certificate Parameters box that appears, click Edit, and configure the following attributes:



  9. CN: This will be the Common Name on the certificate. The Common Name is the Host + Domain Name. It looks like secure.example.com or example.com.

    OU: This optional field is the name of the department or other group making the request.

    O: The legal name of your organization.

    C: Use the two-letter code of your country without punctuation, for example: BM or UK or CH.

    ST: Spell out the state completely; do not abbreviate the parish, state or province name, for example: Pembroke or Connecticut.

    L: The locality field is the city or town name, for example: Hamilton or Stamford.

    Note: In order to configure these values, you must choose a value from the Attribute drop-down list, enter the value, and click Add.
  10. Once the appropriate values are added, click OK.

  11. In the Certificate Parameters dialog box, enter the Fully Qualified Domain Name in the Specify FQDN field.

  12. Note: This value should be same field that you used for the Common Name (CN) field earlier.

  13. Click OK.

  14. Verify the correct key pair is selected, and click the Use manual enrollment radio button.

  15. Click OK, and then click Apply.


Part III - Generating the Certificate Enrollment

  1. Click Configuration, and then click Properties.

  2. Expand Certificate, and choose Enrollment.

  3. Verify the Trustpoint created in Part II is selected. Click Enroll.

  4. A dialog box appears that lists the certificate enrollment request (or Certificate Signing Request).

  5. Copy the PKCS#10 enrollment request to a text file, and then submit the CSR to QuoVadis.