Ask a Question

Advanced Search

Solution ID : SO22573

Last Modified : 05/21/2018

Managed PKI for SSL - Certificate Signing Request (CSR) Generation Instructions for Cisco ASA 5000 Series using Command Line


This document provides instructions for generating a Certificate Signing Request (CSR) for Cisco ASA 5000 Series using Command Line. If you are unable to use these instructions for your server, Symantec recommends that you contact Cisco.
To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.

Step 1: Verify that the date, time, and time zone values are accurate.

  1. You can verify the date, time, and time zone by running the following command:

    ciscoasa#show clock

    For example: 11:02:20.244 UTC Thu Jul 19 2012

Step 2: Create a certificate private key

NOTE: All certificates that will expire after October 2013 must have a minimum 2048 bit key size

  1. Before generating a CSR request, you must create a private key. You can do this by the following command:

    ciscoasa#conf t
    ciscoasa(config)#crypto key generate rsa label <key_file_name>.key modulus 2048
    INFO: The name for the keys will be: <key_file_name>.key
    Keypair generation process begin. Please wait...

Step 3: Create a Trustpoint

  1. Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR. Input the following command to create your trustpoint:

    ciscoasa(config)#crypto ca trustpoint <key_file_name>.trustpoint
  2. Provide your CSR attributes to your trustpoint:

    ciscoasa(config-ca-trustpoint)#subject-name,OU=Support,O=Symantec Corporation,C=US,ST=California,L=Mountain View
    • CN= Common Name - The fully-qualified domain name to which your certificate will be issued.
    • OU= Organizational Unit - Use this field to differentiate between divisions within an organization.
    • O= Organization - The full legal name of your company.
    • C= Country Code Enter the two-character abbreviation of country in which organization resides (e.g. US).
    • ST= State - Enter the full name of your state or province.
      Note: Make sure the State or Province is not abbreviated (e.g. California).
    • L= Locality - Usually the city of your organization's main office, or a main office for your organization.
  3. Specify Key pair created in step 2:

    ciscoasa(config-ca-trustpoint)#keypair <key_file_name>.key
  4. Specify the Common Name for your certificate request (Please input the FDQN specified in step 3):

  5. Specify manual enrollment:

    ciscoasa(config-ca-trustpoint)#enrollment terminal
  6. Exit manual enrollment and initiate your certificate signing request. This is the request to be submitted to our enrollment page.

    To exit the manual enrollment and initiate your certificate, input these commands:

    ciscoasa(config)#crypto ca enroll <key_file_name>.trustpoint

    NOTE: This step will initiates certificate signing request. This is the request you will be submitting to Symantec during your enrollment or renewal process.

    The output will look like this example:

    Start certificate enrollment ..
    The subject name in the certificate will be:,OU=Support,
    O=Symantec Corporation,C=US,St=California,L=Mountain View

  7. You will now be prompted to validate the information you have submitted. The information will look like the following example:

    The fully-qualified domain name in the certificate will be:

    NOTE:  Do not include the device serial number in the subject name
    Include the device serial number in the subject name? [yes/no]: no
  8. Display your CSR file.

    This step will display your CSR on your terminal session. You will want to copy and paste the entire CSR file.
    Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer.
    Once copied, paste this information into a text editor that does not add extra characters (Notepad or Vi are recommended).  

    Display Certificate Request to terminal? [yes/no]: yes

    Redisplay enrollment request? [yes/no]: no

  9. Verify your CSR with the Symantec CryptoReport
  10. Once the CSR has been created and validated, proceed with the Enrolment from Managed PKI for SSL Control Center and paste the CSR in the required field.

Once the SSL certificate has been issued, follow the steps from this link to install it on the server.


          For additional information, please refer to Cisco ASA 5000 series