Ask a Question

Managed PKI for SSL - Installation Instruction for Cisco ASA 5520

Solution

To install a certificate into a Cisco ASA 5520 device, perform the following steps:

Step 1: Obtain Symantec Intermediate CA Certificate
 
  1. Download the Intermediate CA certificate from this link: INFO657
     
  2. Click on Managed PKI for SSL tab, click on the appropriate link for your SSL Certificate. 
    For example, if you are installing a Premium SSL Certificate, click the Premium Intermediate CA Certificate link.
    NOTE: If you are not sure which certificate you have purchased, follow the steps from this link: SO22021

     
  3. Copy the Intermediate CA certificate and paste it on a Notepad.

  4. Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white spaces, extra line breaks or additional characters have been inadvertently added.

  5. Save the file as intermediate.crt

  6. Open the Cisco ASDM, then Under the Remote Access VPN window pane, then in the Configuration tab, expand Certificate Management and click CA Certificates.


     
  1. Click the Add button.


     

  2. Assign a Trustpoint Name to the certificate (e.g. intermediate.crt), And select the Install from a file: radio button and browse to intermediate.crt. Click Install Certificate.



    You should then see the Certificate listed with the Trustpoint Name you assigned to it.

 
Step 2: Obtain and Install your SSL certificate
 
  1. Once your Managed PKI for SSL administrator has approved your Certificate request, you will receive an email with
    the Certificate attached (cert.cer), as well as in the body of the email itself.
     
  2. Copy the certificate, imbedded in the body of the email and paste it into a text file using Vi or Notepad.
    NOTE: Do not use Microsoft Word or other word processing programs that may add characters.
    Confirm that there are no extra lines or spaces in the file.

    The text file should look like:

    -----BEGIN CERTIFICATE-----

              [encoded data]

    -----END CERTIFICATE-----

    NOTE: To download the certificate from your Managed PKI for SSL subscriber services page, see solution SO6621
    Please select X.509 as a certificate format and copy only the End Entity Certificate.
     
  3. To follow the naming convention for Cisco, rename the certificate filename with the .crt extension.
    For example: public.crt

  4. Under Remote Access VPN, expand Certificate Management > Identity Certificates.

    Select the identity you created for the CSR with the Expiry Date shown as pending and click Install, select yourdomain_com.crt and click Install Certificate. Once installed the Expiry Date will no longer show 'Pending.'




     

  5. The certificate now needs to be enabled. On the lower left, click Advanced > SSL Settings. Then, select the interface you want SSL enabled for and click Edit.




     

  6. On the next screen, click the drop-down menu and for Primary Enrolled Certificate select your certificate then click OK.


     

  7. The ADSM will then show your certificate details under trustpoint.

  8. Verify your installation with the Symantec Installation Checker

 

Cisco ASA 5520

          For more information, see the Cisco Support website.