Ask a Question

Solution ID : SO22588

Installation Instructions for Cisco ASA 5000 Series using the Command Line

Solution


This document provides installation instructions for Cisco ASA 5000 Series using the Command Line. If you are unable to use these instructions for your server, RapidSSL recommends that you contact the server vendor or the organization, which supports ASA .

NOTE: To install your certificates, you must access your Trustpoint. The Trustpoint is configured when you
generated your original Certificate Signing Request (CSR). If you no longer have the trustpoint information
or it is lost, a new CSR must be generated, please see SO22589. In that case you will also need to 
Reissue the certificate by following the steps from this link: SO5757
 

Step 1: Obtain your SSL Certificate

    1.    The RapidSSL certificate will be sent by email.
    2.    Copy the certificate imbedded in the body of the email and paste it into a text file
           using Vi or Notepad.

           The text file should look like:

           -----BEGIN CERTIFICATE-----

                      [encoded data]

           -----END CERTIFICATE-----

    3.    Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and
           END CERTIFICATE and that no white spaces, extra line breaks or additional characters
           have been inadvertently added.

           NOTE: The certificate can be downloaded from RapidSSL User Portal by
           following the steps from this link: SO16222
           Please select X.509 as a certificate format and copy only the End Entity Certificate.
 
    4.    Save the file as SSLCert.txt


Step 2: Download the RapidSSL Intermediate CA Certificate


    1.    Download the Intermediate CA certificate according to your SSL product from this link: AR1548
    2.    Copy and paste the Intermediate CA certificate to a text editor that does not add
           extra characters (Notepad or Vi are recommended).
    3.    Save this file as: intermediate_ca.txt.


Step 3: Install Intermediate CA Certificate to your Trustpoint

    1.    To initiate the prompt to paste-in your Intermediate certificate files, perform the following command:

           ciscoasa(config)#crypto ca authenticate <Trustpoint name>.Trustpoint

    2.    You are then prompted with:"Enter the base 64 encoded CA certificate. 
           End with the word "quit" on a line by itself".
    3.    Open the intermediate_ca.txt, copy the entire content and paste this information in the command line
    4.    Make sure to include the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer. 

            For Example

           Enter the base 64 encoded certificate.
           End with the word "quit" on a line by itself

           -----BEGIN CERTIFICATE-----
           MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
           LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
           HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
           FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
           dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
           ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
           IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
           MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
           RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
           ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
           TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
           Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
           iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
           AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
           dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
           BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
           aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
           KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
           j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
           L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
           b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
           BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
           A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
           lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
           tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
           -----END CERTIFICATE-----
           quit

          
    5.    Once you submit the intermediate, you will be prompted if you would like to
           accept the certificate. You will want to submit "yes":

           Do you accept this certificate? [yes/no]: yes

           The output will display as follows:

           Trustpoint <name of Trustpoint> is a subordinate CA and 
           holds a non self-signed certificate.
           Trustpoint CA certificate accepted.

           % Certificate successfully imported
           ciscoasa(config)#
           ciscoasa(config-ca-trustpoint)# exit

  

Step 4: Install the SSL Certificate

    1.    To initiate the prompt to install your new certificate, you will need to run the following command:

           ciscoasa(config)#crypto ca import <Trustpoint name>.Trustpoint certificate

    2.    You are then prompted with: "Enter the base 64 encoded CA certificate. 
           End with the word "quit" on a line by itself".
    3.    Open the file you have created in Step 1,SSLCert.txt, copy the entire contents and
           paste this information in the command line Make sure to include the
           "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer. 
           NOTE: Please do not copy/paste the actual certificate text below. 
           This is just an example of what the SSL certificate text would look like.


           The fully-qualified domain name in the certificate will be: <common name of your certificate>
           Enter the base 64 encoded certificate.
           End with the word "quit" on a line by itself

            -----BEGIN CERTIFICATE-----
            MIIFZjCCBE6gAwIBAgIQMs/oXuu9K14eMGSf0mYjfTANBgkqhkiG9w0BAQUFADCB
            yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
            EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
            BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
            L3Rlc3RjYSAoYykwNTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
            cnZlciBUZXN0IENBMB4XDTA3MDcyNjAwMDAwMFoXDTA3MDgwOTIzNTk1OVowgbox
            CzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxQH
            UmFsZWlnaDEWMBQGA1UEChQNQ2lzY28gU3lzdGVtczEOMAwGA1UECxQFVFNXRUIx
            OjA4BgNVBAsUMVRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL2Nwcy90
            ZXN0Y2EgKGMpMDUxHDAaBgNVBAMUE2Npc2NvYXNhMS5jaXNjby5jb20wgZ8wDQYJ
            KoZIhvcNAQEBBQADgY0AMIGJAoGBAL56EvorHHlsIB/VRKaRlJeJKCrQ/9kER2JQ
            9UOkUP3mVPZJtYN63ZxDwACeyNb+liIdKUegJWHI0Mz3GHqcgEkKW1EcrO+6aY1R
            IaUE8/LiAZbA70+k/9Z/UR+v532B1nDRwbx1R9ZVhAJzA1hJTxSlEgryosBMMazg
            5IcLhgSpAgMBAAGjggHXMIIB0zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBDBgNV
            HR8EPDA6MDigNqA0hjJodHRwOi8vU1ZSU2VjdXJlLWNybC52ZXJpc2lnbi5jb20v
            U1ZSVHJpYWwyMDA1LmNybDBKBgNVHSAEQzBBMD8GCmCGSAGG+EUBBxUwMTAvBggr
            BgEFBQcCARYjaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nwcy90ZXN0Y2EwHQYD
            UmFsZWlnaDEWMBQGA1UEChQNQ2lzY28gU3lzdGVtczEOMAwGA1UECxQFVFNXRUIx
            Kn+rRsU2AgZwJ4daMHgGCCsGAQUFBwEBBGwwajAkBggrBgEFBQcwAYYYaHR0cDov
            L29jc3AudmVyaXNpZ24uY29tMEIGCCsGAQUFBzAChjZodHRwOi8vU1ZSU2VjdXJl
            LWFpYS52ZXJpc2lnbi5jb20vU1ZSVHJpYWwyMDA1LWFpYS5jZXIwbgYIKwYBBQUH
            AQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYG
            DLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9n
            bzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQAnym4GVThPIyL/9ylDBd8N7/yW3Ov3
            bIirHfHJyfPJ1znZQXyXdObpZkuA6Jyu03V2CYNnDomn4xRXQTUDD8q86ZiKyMIj
            XM2VCmcHSajmMMRyjpydxfk6CIdDMtMGotCavRHD9Tl2tvwgrBock/v/54o02lkB
            SmLzVV7crlYJEuhgqu3Pz7qNRd8N0Un6c9sbwQ1BuM99QxzIzdAo89FSewy8MAIY
            rtab5F+oiTc5xGy8w7NARAfNgFXihqnLgWTtA35/oWuy86bje1IWbeyqj8ePM9Td
            0LdAw6kUU1PNimPttMDhcF7cuevntROksOgQPBPx5FJSqMiUZGrvju5O
            -----END CERTIFICATE-----
            quit

           INFO: Certificate successfully imported
           ciscoasa(config)#


Step 5: Define the Trustpoint that will supply the SSL certificate for the defined interface.

    1.    In order to use the updated Trustpoint, you will need to run the following commands:

           ciscoasa(config)#ssl trust-point <Trustpoint name>.Trustpoint outside
           ciscoasa(config)#wr mem

           Building configuration...
           Cryptochecksum: 694687a1 f75042af ccc6addf 34d2cb08
           8808 bytes copied in 3.630 secs (2936 bytes/sec)
           [OK]
           ciscoasa(config)#


Step 6: Verify Certificate and Certificate Chain

    1.    To verify your certificate chain to see all the certificates you have just installed, 
            input the following command:

            ciscoasa(config)#show crypto ca certificates

    2.    To verify the SSL certificate installation, use the  RapidSSL Installation Checker


Cisco

           This information was taken from the following Cisco documentation: Document ID: 98596