Ask a Question

Advanced Search

Solution ID : SO15226

Last Modified : 05/02/2018

Install a QuickSSL certificate on Cisco ASA 5520

Problem

How do I install a QuickSSL certificate on Cisco ASA 5520
How to install a GeoTrust Trial certificate on Cisco ASA 5520
How do I install a QuickSSL Premium certificate on Cisco ASA 5520

Solution

To install a certificate into a Cisco ASA 5520 device, perform the following steps:
 
  1. Download the GeoTrust DV CA from the following solution:  INFO1421
  2. Import the CA certificate.
    To do so, use the crypto ca authenticate command. The following example shows a CA certificate request for the trustpoint Main:
     
    hostname (config)# crypto ca authenticate Main
     
    Enter the base 64 encoded CA certificate.
     
    End with a blank line or the word "quit" on a line by itself
     
    MIIDRTCCAu+gAwIBAgIQKVcqP/KW74VP0NZzL+JbRTANBgkqhkiG9w0BAQUFADCB
     
    [ certificate data omitted ]
     
    /7QEM8izy0EOTSErKu7Nd76jwf5e4qttkQ==
     
    quit
     
    INFO: Certificate has the following attributes:  Fingerprint: 24b81433 409b3fd5 e5431699 8d490d34
     
    Do you accept this certificate? [yes/no]: y
     
    Trustpoint CA certificate accepted.
     
    % Certificate successfully imported
     
    hostname (config)#

  3. Generate a certificate request.
     
    To do so, use the crypto ca enroll command. The following example shows a certificate and encryption key request for the trustpoint Main, which is configured to use manual enrollment and general-purpose RSA keys for signing and encryption:
     
    hostname (config)# crypto ca enroll Main
     
    % Start certificate enrollment .
     
    % The fully-qualified domain name in the certificate will be: securityappliance.geotrust.com
     
    % Include the device serial number in the subject name? [yes/no]: n
     
    Display Certificate Request to terminal? [yes/no]: y
     
    Certificate Request follows:
     
    MIIBoDCCAQkCAQAwIzEhMB8GCSqGSIb3DQEJAhYSRmVyYWxQaXguY2lzY28uY29t
     
    [ certificate request data omitted ]
     
    jF4waw68eOxQxVmdgMWeQ+RbIOYmvt8g6hnBTrd0GdqjjVLt
     
    ---End - This line not part of the certificate request---
     
    Redisplay enrollment request? [yes/no]: n
     
    hostname (config)#

  4. For each request generated by the crypto ca enroll command, obtain a certificate from the CA represented by the applicable trustpoint. Be sure the certificate is in base-64 format.
  5. For each certificate you receive from the CA, use the crypto ca import certificate command. The security appliance prompts you to paste the certificate to the terminal in base-64 format.
  6. Verify that the enrollment process was successful using the show crypto ca certificate command. For example, to show the certificate received from trustpoint Main:
     
    hostname/contexta(config)# show crypto ca certificate Main
     The output of this command shows the details of the certificate issued for the security appliance and the CA certificate for the trustpoint.

  7. Save the configuration using the write memory command: hostname/contexta(config)# write memory
     
    If you use separate RSA keys for signing and encryption, the crypto ca enroll command displays two certificate requests, one for each key. To complete enrollment, acquire a certificate for all certificate requests generated by the crypto ca enroll command.
     
    If you use separate RSA key pairs for signing and encryption, perform this step for each certificate separately. The security appliance determines automatically whether the certificate is for the signing or encryption key pair. The order in which you import the two certificates is irrelevant.
     
    The following example manually imports a certificate for the trustpoint Main:
     
    hostname (config)# crypto ca import Main certificate
     
    % The fully-qualified domain name in the certificate will be: securityappliance.geotrust.com
     
    Enter the base 64 encoded certificate.
     
    End with a blank line or the word "quit"on a line by itself
     
    [ certificate data omitted ]
     
    quit
     
    INFO: Certificate successfully imported
     
    hostname (config)#