Certificate Signing Request (CSR) Generation Instructions for Cisco ASA 5000 Series using Command Line

Solution ID:    SO22589    Updated:    07/27/2016


This document provides instructions for generating a Certificate Signing Request (CSR) for Cisco ASA 5000 Series using Command Line. If these instructions can not be used for the server, RapidSSL recommends contacting Cisco.

Step 1: Verify that the date, time, and time zone values are accurate.

  1. Verify the date, time, and time zone by running the following command:

    ciscoasa#show clock

Step 2: Create a certificate private key

           NOTE: As of 1/12016 all public certificates must be issued as SHA-256 with a 2048-bit key.

  1. Before generating a CSR request, you must create a private key. You can do this by the following command:

    ciscoasa#conf t
    crypto key generate rsa label [key file name] modulus 2048

Step 3: Create a Trustpoint

  1. Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR. Input the following command to create your trustpoint:

    ciscoasa(config)#crypto ca trustpoint [key file name].trustpoint

  2. Provide your CSR attributes to the trustpoint:

    ciscoasa(config-ca-trustpoint)#subject-name CN=[common name],OU=[department],O=[organization],C=[country],St=[state],L=[city]

    - CN = Common Name:  This is the FQDN (Full Qualified Domain Name) that will be used for connections to your firewall. Example, www.bbtest.net
    - OU = Department Name. For example: Support
    - O = Company Name (Avoid using Special Characters). For example, RapidSSL
    - C = Country, use the 2 letter ISO code.  For example, US
    - St = State,spelled out completely.  For example, California
    - L = Locality or city spelled in full.  For example, Mountain View
  3. Specify the private key created in Step 2.1

    ciscoasa(config-ca-trustpoint)#keypair [private key file]

    Specify the Common Name for your certificate request (Please input the CN specified in Step 3.2):

    ciscoasa(config-ca-trustpoint)#fqdn [common name]
  4. Specify manual enrollment:

     ciscoasa(config-ca-trustpoint)#enrollment terminal
  5. Exit manual enrollment and initiate your certificate signing request.  This is the request to be submitted to our enrollment page.  To exit the manual enrollment and initiate your certificate, input these commands:

    ciscoasa(config)#crypto ca enroll [private key].trustpoint

  6.  The output will look like this example:

    Start certificate enrollment ..
    The subject name in the certificate will be: CN=www.bbtest.net,OU=Support, O=RapidSSL,C=US,St=California,L=Mountain View

  7. You will now be prompted to validate the information you have submitted. The information will look like the following example:

    The fully-qualified domain name in the certificate will be: www.bbtest.net

    NOTE:  Do not include the device serial number in the subject name

    Include the device serial number in the subject name? [yes/no]: no
  8. Display your CSR file.  This step will display your CSR on your terminal session. You will want to copy and paste the entire CSR file. Make sure to include the "----- BEGIN CERTIFICATE REQUEST -----" and "----- END CERTIFICATE REQUEST -----" header and footer.
  9. Once copied, paste this information into a text editor that does not add extra characters (Notepad or Vi are recommended).  

    Display Certificate Request to terminal? [yes/no]: yes


    --- End --- (NOTE:This line is not part of the certificate request.)

    Redisplay enrollment request? [yes/no]: no



  10. Once the CSR has been created, proceed to Enrollment.

Once the SSL certificate has been issued, refer to this link for installation instructions.


            For additional information, please refer to Cisco ASA 5000 series


RapidSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, RapidSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. RapidSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document.  Further, RapidSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. RapidSSL reserves the right to make changes to any information herein without further notice.

Contact Support

US Support:

Order Processing

Technical Support

European Support:

Order Processing

Technical Support

SSL digital certificates sales live chat.

Find Answers

Search Tips