This document uses an ASA 5510 that runs software version 8.0(2) and ASDM version 6.0(2) and provides instructions for generating a Certificate Signing Request (CSR) for Cisco ASA 5510. If you are unable to use these instructions for your server, Symantec recommends that you contact Cisco.
NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.
Step 1: Generate a key pair
- Within ASDM, click Configuration > Device Management
- Click Certificate Management > Identity Certificates > Add > Add a new identity certificate
- For the Key Pair, click New > Enter new key pair name
- Enter a unique key pair name for the certificate
- Select the key size as 2048
- To complete the generation of the key pair, click Generate Now
Step 2: Generate a certificate signing request (CSR) file
- To enter certificate information, click Select
- From the drop-down list, select the following attributes > enter value > click Add
- The following fields are required:
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.symantec.com" or "symantec.com".
NOTE: Symantec certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "symantec.com" will receive a warning if accessing a site named "www.symantec.com" or "secure.symantec.com", because "www.symantec.com" and "secure.symantec.com" are different from "symantec.com".
- Once the appropriate values are added, click OK > Advanced
- In the FQDN field, enter the FQDN that will be used to access the device from the Internet:
NOTE - If enrolling for a Subject Alternative Name certificate leave this field blank.
- Click OK > Add Certificate > Browse
- Choose a location where to save the request file
- Verify your CSR
- Proceed with Enrollment.
Once the SSL certificate has been issued, follow the steps from this link to install it on the server: SO6496
For more information, refer to Cisco Support