Solution
This document provides instructions for generating a Certificate Signing Request (CSR) for Cisco ASA 5000 Series using Command Line. If you are unable to use these instructions for your server, Symantec recommends that you contact Cisco.
NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.
Step 1: Verify that the date, time, and time zone values are accurate.
- You can verify the date, time, and time zone by running the following command:
ciscoasa#show clock
For example: 11:02:20.244 UTC Thu Jul 19 2012
Step 2: Create a certificate private key
NOTE: All certificates that will expire after October 2013 must have a 2048 bit key size
- Before generating a CSR request, you must create a private key. You can do this by the following command:
ciscoasa#conf t
ciscoasa(config)#crypto key generate rsa label <key_file_name>.key modulus 2048
INFO: The name for the keys will be: <key_file_name>.key
Keypair generation process begin. Please wait...
Step 3: Create a Trustpoint
- Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR. Input the following command to create your trustpoint:
ciscoasa(config)#crypto ca trustpoint <key_file_name>.trustpoint
- Provide your CSR attributes to your trustpoint:
ciscoasa(config-ca-trustpoint)#subject-name CN=www.domain.com,OU=Support,O=Company Inc.,C=US,St=California,L=Mountain View
- CN= FQDN (Full Qualified Domain Name) that will be used for connections to your firewall. For example, www.domain.com
NOTE: Symantec certificates can only be used on Web servers using the Common Name specified during enrollment.
For example, a certificate for the domain"domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com",
because "www.domain.com" and "secure.domain.com" are different from "domain.com".
- OU= Department Name. For example: Support
- O= Company Name (Avoid using Special Characters). For example, Company Inc.
- C= Country Code (2 Letter Code without Punctuation)
- St= State (Must be spelled out completely.) For example, California
- L= City
- Specify Key pair created in step 2:
ciscoasa(config-ca-trustpoint)#keypair <key_file_name>.key
- Specify the Common Name for your certificate request (Please input the FDQN specified in step 3):
ciscoasa(config-ca-trustpoint)#fqdn www.domain.com
- Specify manual enrollment:
ciscoasa(config-ca-trustpoint)#enrollment terminal
- Exit manual enrollment and initiate your certificate signing request. This is the request to be submitted to our enrollment page.
To exit the manual enrollment and initiate your certificate, input these commands:
ciscoasa(config-ca-trustpoint)#exit
ciscoasa(config)#crypto ca enroll <key_file_name>.trustpoint
NOTE: This step will initiates certificate signing request. This is the request you will be submitting to Symantec during your enrollment or renewal process.
The output will look like this example:
Start certificate enrollment ..
The subject name in the certificate will be: CN=www.domain.com,OU=Support,
O=Company Inc.,C=US,St=California,L=Mountain View
- You will now be prompted to validate the information you have submitted. The information will look like the following example:
The fully-qualified domain name in the certificate will be: www.domain.com
NOTE: Do not include the device serial number in the subject name
Include the device serial number in the subject name? [yes/no]: no
- Display your CSR file
This step will display your CSR on your terminal session. You will want to copy and paste the entire CSR file.
Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer.
Once copied, paste this information into a text editor that does not add extra characters (Notepad or Vi are recommended).
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
MIICwTCCAakCAQAwfDEXMBUGA1UEAxMOd3d3LmRvbWFpbi5jb20xFTATBgNVBAoT
DENvbXBhbnkgSW5jLjEQMA4GA1UECxMHU3VwcG9ydDEWMBQGA1UEBxMNTW91bnRh
aW4gVmlldzETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+ySPuctHzaADLUZXVCk6xlaQcGLOq
HDCtAQZ0k7M8MLGiGIjEYx2l3+tFO4QivUC9HCOWFxAkBD0rzgAUJL/b513T2iQo
oXca5dhrAJQgxO1o2LFYt9uHVdJPDpFlWrtf5W5U+K3hdzAwEmqKlsS9LX+Tm7e5
I/bOAqiTUKB39T7oc7ETy9A5PvqJVc+ZcVuj3VaAZwcKkhLnM9l5xXlyVz0YXzck
aLRFynfRrzHLoBD8uW6iOHMaaOb+krTA2OUd8Z82c9Io+UxIUid7v9q9AgMBAAGg
ADANBgkqhkiG9w0BAQQFAAOCAQEAAj9A+T/Q+5V/ufiJr+zKf8Xm3wcafCPxMIRr
2Phoas1P0AgziAwPI+xfit2s9iGoS7hQ9TCIlCIzgc9kcI4iZrRHWgXGPJcbQ01l
vScldwuua2wPm9TqEJ/YFwmbtzgRohvDq6I3/zfi//HKGkxLtX1ps/AmYlR7pRmd
jdBCObw8bKn+ytEcug9CoZwyimS9nn3AJpcJnaXgkLGOEMOhXnab5w8qHNmimPvw
icec/tsC+n4/BYZ/JvttRHlX03dI189KFrka/16OhCXY7eraOJs9eXnPycS1yZDd
fCpQitebUCCCZ3X7sHXN2L5b+n+s3rfCICTEVa/9NND4FdK8aQ==
-----END CERTIFICATE REQUEST-----
---End --- (NOTE:This line is not part of the certificate request.)
Redisplay enrollment request? [yes/no]: no
ciscoasa(config)#
- Verify your CSR
- Once the CSR has been created and validated, proceed to Enrollment.
Once the SSL certificate has been issued, follow the steps from this link to install it on the server: SO19541
Cisco
For additional information, please refer to Cisco ASA 5000 series