Ask a Question

Managed PKI for SSL - Installation Instructions for Cisco ASA 5000 Series using the Command Line

Solution


This document provides installation instructions for Cisco ASA 5000 Series using the Command Line. If you are unable to use these instructions for your server, Symantec recommends that you contact the server vendor or the organization, which supports ASA .

NOTE: To install your certificates, you must access your Trustpoint. The Trustpoint is configured when you generated your original
Certificate Signing Request (CSR). If you no longer have the trustpoint information or it is lost, a new CSR must be generated,
please see SO22573. In that case you will also need to perform a revoke and replace of your current certfiicate, see SO4266
 

Step 1: Download or pick up your SSL Certificate

  1. Once your Managed PKI for SSL administrator has approved your Certificate request, you will receive an email with
    the Certificate attached (cert.cer), as well as in the body of the email itself.
  2. Copy the certificate, imbedded in the body of the email and paste it into a text file using Vi or Notepad.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters.
    Confirm that there are no extra lines or spaces in the file.

    The text file should look like:

    -----BEGIN CERTIFICATE-----

              [encoded data]

    -----END CERTIFICATE-----

    NOTE: To download the certificate from your Managed PKI for SSL subscriber services page, see solution SO6621
    Please select X.509 as a certificate format and copy only the End Entity Certificate.
     
  3. Save the certificate as public.txt


Step 2: Download the Symantec Intermediate CA Certificate

  1. Download the Intermediate CA certificate from this link: INFO657
  2. Click on Managed PKI for SSL tab, click on the appropriate link for your SSL Certificate.
    For example, if you are installing a Premium SSL Certificate, click the Premium Intermediate CA Certificate link.
    NOTE: To check which certificate type you have purchased, follow the steps from this link: SO22021
  3. Select the appropriate Intermediate CA certificate for your SSL Certificate type.
  4. Copy the Intermediate CA certificate and paste it on a Notepad.
  5. Save the file as intermediate.txt


Step 3: Install Intermediate CA Certificates to your Trustpoint

  1. To initiate the prompt to paste-in your Intermediate certificate files, perform the following command:

    ciscoasa(config)#crypto ca authenticate <Trustpoint name>.Trustpoint
     
  2. You are then prompted with:"Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself".
  3. Open the intermediate.txt, copy the entire content and paste this information in the command line
  4. Make sure to include the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer.

    For Example

    Enter the base 64 encoded certificate.
    End with the word "quit" on a line by itself

    -----BEGIN CERTIFICATE-----
    MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
    LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
    HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
    FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
    dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
    ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
    IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
    MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
    RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
    ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
    TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
    Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3Qk43SGT2RT+rCpSx4/VBEnkjWNH
    iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59z4DMKz10/NIeWiu5T6CUVAgMB
    AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
    dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
    BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
    aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
    KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
    j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
    L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
    b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
    BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
    A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
    lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
    tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
    -----END CERTIFICATE-----
    quit

    Manually pasted certificate into CLI.
    INFO: Certificate has the following attributes:
    Fingerprint: 32 f3 08 82 62 2b 87 cf 88 56 c6 3d b8 73 df 08 53 b4 dd 27
     
  5. Once you submit the primary intermediate, you will be prompted if you would like to accept the certificate. You will want to submit "yes":

    Do you accept this certificate? [yes/no]: yes

    The output will display as follows:

    Trustpoint <name of Trustpoint> is a subordinate CA and 
    holds a non self-signed certificate.
    Trustpoint CA certificate accepted.

    % Certificate successfully imported
    ciscoasa(config)#
    ciscoasa(config-ca-trustpoint)# exit

Step 4: Install the SSL Certificate

  1. To initiate the prompt to install your new certificate, you will need to run the following command:

    ciscoasa(config)#crypto ca import <Trustpoint name>.Trustpoint certificate
     
  2. You are then prompted with: "Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself".
  3. Open the file you have created in Step 1,SSLCert.txt, copy the entire contents and paste this information in the command line
  4. Make sure to include the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer. 
    NOTE: Please do not copy/paste the actual certificate text below. This is just an example of what the SSL certificate text would look like.


    The fully-qualified domain name in the certificate will be: <common name of your certificate>
    Enter the base 64 encoded certificate.
    End with the word "quit" on a line by itself

    -----BEGIN CERTIFICATE-----
    MIIFZjCCBE6gAwIBAgIQMs/oXuu9K14eMGSf0mYjfTANBgkqhkiG9w0BAQUFADCB
    yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
    EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
    BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
    L3Rlc3RjYSAoYykwNTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
    cnZlciBUZXN0IENBMB4XDTA3MDcyNjAwMDAwMFoXDTA3MDgwOTIzNTk1OVowgbox
    CzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxQH
    UmFsZWlnaDEWMBQGA1UEChQNQ2lzY28gU3lzdGVtczEOMAwGA1UECxQFVFNXRUIx
    OjA4BgNVBAsUMVRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL2Nwcy90
    ZXN0Y2EgKGMpMDUxHDAaBgNVBAMUE2Npc2NvYXNhMS5jaXNjby5jb20wgZ8wDQYJ
    KoZIhvcNAQEBBQADgY0AMIGJAoGBAL56EvorHHlsIB/VRKaRlJeJKCrQ/9kER2JQ
    9UOkUP3mVPZJtYN63ZxDwACeyNb+liIdKUegJWHI0Mz3GHqcgEkKW1EcrO+6aY1R
    IaUE8/LiAZbA70+k/9Z/UR+v532B1nDRwbx1R9ZVhAJzA1hJTxSlEgryosBMMazg
    5IcLhgSpAgMBAAGjggHXMIIB0zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBDBgNV
    HR8EPDA6MDigNqA0hjJodHRwOi8vU1ZSU2VjdXJlLWNybC52ZXJpc2lnbi5jb20v
    U1ZSVHJpYWwyMDA1LmNybD34KBgNVHSAEQzBBMD8GCmCGSAGG+EUBBxUwMTAvBggr
    BgEFBQcCARYjaHR0cHM6Ly943cudmVyaXNpZ24uY29tL2Nwcy90ZXN0Y2EwHQYD
    UmFsZWlnaDEWMBQGA1UEChQNQ2lzY28gU3lzdGVtczEOMAwGA1UECxQFVFNXRUIx
    Kn+rRsU2AgZwJ4daMHgGCCsGAQUFBwEBBGwwajAkBggrBgEFBQcwAYYYaHR0cDov
    L29jc3AudmVyaXNpZ24uY29tMEIGCCsGAQUFBzAChjZodHRwOi8vU1ZSU2VjdXJl
    LWFpYS52ZXJpc2lnbi5jb20vU1ZSVHJpYWwyMDA1LWFpYS5jZXIwbgYIKwYBBQUH
    AQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYG
    DLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9n
    bzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQAnym4GVThPIyL/9ylDBd8N7/yW3Ov3
    bIirHfHJyfPJ1znZQXyXdObpZkuA6Jyu03V2CYNnDomn4xRXQTUDD8q86ZiKyMIj
    XM2VCmcHSajmMMRyjpydxfk6CIdDMtMGotCavRHD9Tl2tvwgrBock/v/54o02lkB
    SmLzVV7crlYJEuhgqu3Pz7qNRd8N0Un6c9sbwQ1BuM99QxzIzdAo89FSewy8MAIY
    rtab5F+oiTc5xGy8w7NARAfNgFXihqnLgWTtA35/oWuy86bje1IWbeyqj8ePM9Td
    0LdAw6kUU1PNimPttMDhcF7cuevntROksOgQPBPx5FJSqMiUZGrvju5O
    -----END CERTIFICATE-----
    quit

    INFO: Certificate successfully imported
    ciscoasa(config)#


Step 5: Define the Trustpoint that will supply the SSL certificate for the defined interface.

  1. In order to use the updated Trustpoint, you will need to run the following commands:

    ciscoasa(config)#ssl trust-point <Trustpoint name>.Trustpoint outside
    ciscoasa(config)#wr mem

    Building configuration...
    Cryptochecksum: 694687a1 f75042af ccc6addf 34d2cb08
    8808 bytes copied in 3.630 secs (2936 bytes/sec)
    [OK]
    ciscoasa(config)#


Step 6: Verify Certificate and Certificate Chain

  1. To verify your certificate chain to see all the certificates you have just installed, input the following command:

    ciscoasa(config)#show crypto ca certificates
     
  2. Verify your installation with the Symantec Installation Checker


Cisco

         This information was taken from the following Cisco documentation: Document ID: 98596