Ask a Question

Solution ID : SO19506

  • WSS

Certificate Signing Request (CSR) Generation Instructions for Cisco ASA 5000 Series using Command Line

Solution


This document provides instructions for generating a Certificate Signing Request (CSR) for Cisco ASA 5000 Series using Command Line. If you are unable to use these instructions for your server, Symantec recommends that you contact Cisco.
 
NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.
 

Step 1: Verify that the date, time, and time zone values are accurate.

  1. You can verify the date, time, and time zone by running the following command:

    ciscoasa#show clock

    For example: 11:02:20.244 UTC Thu Jul 19 2012


Step 2: Create a certificate private key

NOTE: All certificates that will expire after October 2013 must have a 2048 bit key size

  1. Before generating a CSR request, you must create a private key. You can do this by the following command:

    ciscoasa#conf t
    ciscoasa(config)#crypto key generate rsa label <key_file_name>.key modulus 2048
    INFO: The name for the keys will be: <key_file_name>.key
    Keypair generation process begin. Please wait...


Step 3: Create a Trustpoint

  1. Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR. Input the following command to create your trustpoint:

    ciscoasa(config)#crypto ca trustpoint <key_file_name>.trustpoint
     
  2. Provide your CSR attributes to  your trustpoint:

    ciscoasa(config-ca-trustpoint)#subject-name CN=www.domain.com,OU=Support,O=Company Inc.,C=US,St=California,L=Mountain View
     
    • CN= FQDN (Full Qualified Domain Name) that will be used for connections to your firewall. For example, www.domain.com
      NOTE: Symantec certificates can only be used on Web servers using the Common Name specified during enrollment.
      For example, a certificate for the domain"domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com",
      because "www.domain.com" and "secure.domain.com" are different from "domain.com".
    • OU= Department Name. For example: Support
    • O= Company Name (Avoid using Special Characters). For example, Company Inc.
    • C= Country Code (2 Letter Code without Punctuation)
    • St= State (Must be spelled out completely.) For example, California
    • L= City

       
  3. Specify Key pair created in step 2:

    ciscoasa(config-ca-trustpoint)#keypair <key_file_name>.key
     
  4. Specify the Common Name for your certificate request (Please input the FDQN specified in step 3):

    ciscoasa(config-ca-trustpoint)#fqdn www.domain.com 
     
  5. Specify manual enrollment:

    ciscoasa(config-ca-trustpoint)#enrollment terminal
     
  6. Exit manual enrollment and initiate your certificate signing request. This is the request to be submitted to our enrollment page.

    To exit the manual enrollment and initiate your certificate, input these commands:

    ciscoasa(config-ca-trustpoint)#exit
    ciscoasa(config)#crypto ca enroll <key_file_name>.trustpoint

    NOTE: This step will initiates certificate signing request. This is the request you will be submitting to Symantec during your enrollment or renewal process.

    The output will look like this example:

    Start certificate enrollment ..
    The subject name in the certificate will be: CN=www.domain.com,OU=Support,
    O=Company Inc.,C=US,St=California,L=Mountain View
     
  7. You will now be prompted to validate the information you have submitted. The information will look like the following example:

    The fully-qualified domain name in the certificate will be: www.domain.com

    NOTE:  Do not include the device serial number in the subject name
    Include the device serial number in the subject name? [yes/no]: no
     
  8. Display your CSR file

    This step will display your CSR on your terminal session. You will want to copy and paste the entire CSR file.
    Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer.
    Once copied, paste this information into a text editor that does not add extra characters (Notepad or Vi are recommended).  

    Display Certificate Request to terminal? [yes/no]: yes

    Certificate Request follows:

    -----BEGIN CERTIFICATE REQUEST-----
    MIICwTCCAakCAQAwfDEXMBUGA1UEAxMOd3d3LmRvbWFpbi5jb20xFTATBgNVBAoT
    DENvbXBhbnkgSW5jLjEQMA4GA1UECxMHU3VwcG9ydDEWMBQGA1UEBxMNTW91bnRh
    aW4gVmlldzETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMwggEiMA0G
    CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+ySPuctHzaADLUZXVCk6xlaQcGLOq
    HDCtAQZ0k7M8MLGiGIjEYx2l3+tFO4QivUC9HCOWFxAkBD0rzgAUJL/b513T2iQo
    oXca5dhrAJQgxO1o2LFYt9uHVdJPDpFlWrtf5W5U+K3hdzAwEmqKlsS9LX+Tm7e5
    I/bOAqiTUKB39T7oc7ETy9A5PvqJVc+ZcVuj3VaAZwcKkhLnM9l5xXlyVz0YXzck
    aLRFynfRrzHLoBD8uW6iOHMaaOb+krTA2OUd8Z82c9Io+UxIUid7v9q9AgMBAAGg
    ADANBgkqhkiG9w0BAQQFAAOCAQEAAj9A+T/Q+5V/ufiJr+zKf8Xm3wcafCPxMIRr
    2Phoas1P0AgziAwPI+xfit2s9iGoS7hQ9TCIlCIzgc9kcI4iZrRHWgXGPJcbQ01l
    vScldwuua2wPm9TqEJ/YFwmbtzgRohvDq6I3/zfi//HKGkxLtX1ps/AmYlR7pRmd
    jdBCObw8bKn+ytEcug9CoZwyimS9nn3AJpcJnaXgkLGOEMOhXnab5w8qHNmimPvw
    icec/tsC+n4/BYZ/JvttRHlX03dI189KFrka/16OhCXY7eraOJs9eXnPycS1yZDd
    fCpQitebUCCCZ3X7sHXN2L5b+n+s3rfCICTEVa/9NND4FdK8aQ==
    -----END CERTIFICATE REQUEST-----


    ---End --- (NOTE:This line is not part of the certificate request.)

    Redisplay enrollment request? [yes/no]: no
    ciscoasa(config)# 
     
  9. Verify your CSR
     
  10. Once the CSR has been created and validated, proceed to Enrollment.


Once the SSL certificate has been issued, follow the steps from this link to install it on the server: SO19541


Cisco

          For additional information, please refer to Cisco ASA 5000 series