Ask a Question

Solution ID : SO14888

Install SSL Web Server Certificate onto CISCO ASA 5520

Problem

Install SSL Web Server Certificate

Install Certificate

Cause

 
This procedure provides steps for configuring certificates using manual certificate requests. These steps should be repeated for each trustpoint you configure for manual enrollment. When you have completed this procedure, the security appliance will have received a CA certificate for the trustpoint and one or two certificates for signing and encryption purposes. If you use general-purpose RSA keys, the certificate received is for signing and encryption. If you use separate RSA keys for signing and encryption, the certificates received are used for each purpose exclusively.
 

Solution

 To install a certificate into a Cisco ASA 5520 device, perform the following steps:
 
1. Download the Thawte Intermediate CA for SSL Web Server certificates: AR1384
 
2. Import the CA certificate.
 
To do so, use the crypto ca authenticate command. The following example shows a CA certificate request for the trustpoint Main: 
 
hostname (config)# crypto ca authenticate Main 
 
Enter the base 64 encoded CA certificate. 
 
End with a blank line or the word "quit" on a line by itself 
 
MIIDRTCCAu+gAwIBAgIQKVcqP/KW74VP0NZzL+JbRTANBgkqhkiG9w0BAQUFADCB 
 
[ certificate data omitted ] 
 
/7QEM8izy0EOTSErKu7Nd76jwf5e4qttkQ== 
 
quit 
 
INFO: Certificate has the following attributes:  Fingerprint: 24b81433 409b3fd5 e5431699 8d490d34 
 
Do you accept this certificate? [yes/no]: y 
 
Trustpoint CA certificate accepted. 
 
% Certificate successfully imported 
 
hostname (config)# 
 
3. Generate a certificate request.
 
To do so, use the crypto ca enroll command. The following example shows a certificate and encryption key request for the trustpoint Main, which is configured to use manual enrollment and general-purpose RSA keys for signing and encryption: 
 
hostname (config)# crypto ca enroll Main 
 
% Start certificate enrollment . 
 
% The fully-qualified domain name in the certificate will be: securityappliance.example.com 
 
% Include the device serial number in the subject name? [yes/no]: n 
 
Display Certificate Request to terminal? [yes/no]: y 
 
Certificate Request follows:
 
MIIBoDCCAQkCAQAwIzEhMB8GCSqGSIb3DQEJAhYSRmVyYWxQaXguY2lzY28uY29t 
 
[ certificate request data omitted ] 
 
jF4waw68eOxQxVmdgMWeQ+RbIOYmvt8g6hnBTrd0GdqjjVLt 
 
---End - This line not part of the certificate request--- 
 
Redisplay enrollment request? [yes/no]: n
 
hostname (config)#
 
4. For each request generated by the crypto ca enroll command, obtain a certificate from the CA represented by the applicable trustpoint. Be sure the certificate is in base-64 format.
 
5. For each certificate you receive from the CA, use the crypto ca import certificate command. The security appliance prompts you to paste the certificate to the terminal in base-64 format.
 
6. Verify that the enrollment process was successful using the show crypto ca certificate command. For example, to show the certificate received from trustpoint Main:
 
hostname/contexta(config)# show crypto ca certificate Main
 
The output of this command shows the details of the certificate issued for the security appliance and the CA certificate for the trustpoint. 
 
7. Save the configuration using the write memory command: hostname/contexta(config)# write memory
 
If you use separate RSA keys for signing and encryption, the crypto ca enroll command displays two certificate requests, one for each key. To complete enrollment, acquire a certificate for all certificate requests generated by the crypto ca enroll command.
 
If you use separate RSA key pairs for signing and encryption, perform this step for each certificate separately. The security appliance determines automatically whether the certificate is for the signing or encryption key pair. The order in which you import the two certificates is irrelevant.
 
The following example manually imports a certificate for the trustpoint Main:
 
hostname (config)# crypto ca import Main certificate
 
% The fully-qualified domain name in the certificate will be: securityappliance.example.com
 
Enter the base 64 encoded certificate.
 
End with a blank line or the word "quit"on a line by itself
 
[ certificate data omitted ]
 
quit
 
INFO: Certificate successfully imported
 
hostname (config)#

Please ensure that you generated a Trustpoint before you install your certificate: SO5088