Certificate Signing Request (CSR) Generation Instructions for Cisco ASA 5000 Series using Command Line

Solution ID:    SO22589    Updated:    07/27/2016

Solution


This document provides instructions for generating a Certificate Signing Request (CSR) for Cisco ASA 5000 Series using Command Line. If these instructions can not be used for the server, RapidSSL recommends contacting Cisco.
 

Step 1: Verify that the date, time, and time zone values are accurate.

  1. Verify the date, time, and time zone by running the following command:

    ciscoasa#show clock


Step 2: Create a certificate private key

           NOTE: As of 1/12016 all public certificates must be issued as SHA-256 with a 2048-bit key.

  1. Before generating a CSR request, you must create a private key. You can do this by the following command:

    ciscoasa#conf t
    ciscoasa(config)#
    crypto key generate rsa label [key file name] modulus 2048
     

Step 3: Create a Trustpoint

  1. Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR. Input the following command to create your trustpoint:

    ciscoasa(config)#crypto ca trustpoint [key file name].trustpoint

     
  2. Provide your CSR attributes to the trustpoint:

    ciscoasa(config-ca-trustpoint)#subject-name CN=[common name],OU=[department],O=[organization],C=[country],St=[state],L=[city]

    - CN = Common Name:  This is the FQDN (Full Qualified Domain Name) that will be used for connections to your firewall. Example, www.bbtest.net
    - OU = Department Name. For example: Support
    - O = Company Name (Avoid using Special Characters). For example, RapidSSL
    - C = Country, use the 2 letter ISO code.  For example, US
    - St = State,spelled out completely.  For example, California
    - L = Locality or city spelled in full.  For example, Mountain View
     
  3. Specify the private key created in Step 2.1

    ciscoasa(config-ca-trustpoint)#keypair [private key file]

    Specify the Common Name for your certificate request (Please input the CN specified in Step 3.2):

    ciscoasa(config-ca-trustpoint)#fqdn [common name]
     
  4. Specify manual enrollment:

     ciscoasa(config-ca-trustpoint)#enrollment terminal
     
  5. Exit manual enrollment and initiate your certificate signing request.  This is the request to be submitted to our enrollment page.  To exit the manual enrollment and initiate your certificate, input these commands:

    ciscoasa(config-ca-trustpoint)#exit
    ciscoasa(config)#crypto ca enroll [private key].trustpoint

     
  6.  The output will look like this example:

    Start certificate enrollment ..
    The subject name in the certificate will be: CN=www.bbtest.net,OU=Support, O=RapidSSL,C=US,St=California,L=Mountain View

     
  7. You will now be prompted to validate the information you have submitted. The information will look like the following example:

    The fully-qualified domain name in the certificate will be: www.bbtest.net

    NOTE:  Do not include the device serial number in the subject name

    Include the device serial number in the subject name? [yes/no]: no
     
  8. Display your CSR file.  This step will display your CSR on your terminal session. You will want to copy and paste the entire CSR file. Make sure to include the "----- BEGIN CERTIFICATE REQUEST -----" and "----- END CERTIFICATE REQUEST -----" header and footer.
     
  9. Once copied, paste this information into a text editor that does not add extra characters (Notepad or Vi are recommended).  

    Display Certificate Request to terminal? [yes/no]: yes

    -----BEGIN CERTIFICATE REQUEST-----
    MIIE2jCCAsICAQAwgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
    MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MR0wGwYDVQQKDBRTeW1hbnRlYyBDb3Jw
    b3JhdGlvbjEgMB4GA1UECwwXV1NTIC0gVGVjaG5pY2FsIFN1cHBvcnQxFzAVBgNV
    BAMMDnd3dy5iYnRlc3QubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
    AgEAziBPkzuEGSoD2iOFOazVBlZB3U+bL6tY2FjRIdEAVgw1poSOOkzS3I8tjLq3
    70wMTkr20Yt99LLMCAlBfc8OmtV3JKgiPZT2CCVActf78za0b/KsCf1ZQBHeHbUN
    EnZ4/olgL423lsu0pwvZam5hcHWGYL3ZKTHnxsQKRg4cG6LTOAp04lDqN19jKhBQ
    ugNJC9kVWwuExaYBuJfGKQ2lM8pFVigTo+vX+ZfsuxwVDG5mbCSgUhjjDlTIl5HR
    DkyqR8Sit8cSncgnNCaBRAQjrvSrpQ6OIhuz7J1sbm1aFoNFaLoh7UkZU0r3SwON
    FY0WpG2FypV6lxqickSNq2YeMfbdQacVBz2S9zSQoDAiLS9tzJIUXGqhbN/8RjMh
    UtQnjaiSWn+QJlUQxB/OMOYxftlefjHzRS7+unwVHQGqo/D/7o3+2smuHxg+z26D
    IbYv12NvB5DepaVUeWQ6tVN9JhMoFB8SwTrG4xyTqUDXGg/TfQXRwaXWrtD/075J
    KPnaPAI888Ig/x6HT6pHwZjuIsYnEyk4h+HzazkP4NL3YkSFeEkDAzKnXQBhXMu8
    ST1PWVcakySOZZEnE/j0ueonYPxVeatEBqnh17sAz/AhXFyd+9Q7k0HUJkZirGPX
    DhywG6GVLcue0SK9esga53lsdAagz75r/Bot+sUSQcnEG80CAwEAAaAAMA0GCSqG
    SIb3DQEBCwUAA4ICAQA/jnGFhGsQ1a0gO6ikTo+CTAKT84x51J+UOLM5yOn9YWbW
    G9DgrfQVci3O+m4+Chjj+LgNTa0mPE7UdA7yejmilkrJJiW8M2HMUgPyK2x25a7W
    U43i0LpzyL2bw9V9qMNtPQ+4/iHlLohNCtk1mj0AQPQOwsaLQS3TQUtRb+sV9DOB
    20ZNLBT6LhCiH12FRwKLh9eCvcnVyQOa30yZ1hkuXD+Okt5x/1YxW9T5UNdaZGh
    NfxMF/o8iBoqL39Jn8Y+tdCaso2Vzm4Ggpjo33LtrOLZFinHZNVr37f4qI6tIh+v
    tZldctC68yeY5l6yJ58Ubig/pnAnZ/8AI9xAXkExjuu95QtqOaMcicAl6Oor6zdn
    J4AUeDGBC778l5lCIHRxikDWdZNZuoORkwX7qVsyfChe2LdYPxViBHARiOaruacq
    f9WjzPYHa+Jg8ZXpffWVSPPJlUjUErkWRg8Qy2i0hdPfgbSFfTHi7qHljVNx9b/7
    +UsIVvDWgPy6qN4CuKpftWMT5ot91VOokw29/IAEcsqOS37k0exP4vpSKt6C7AEv
    4ZJ2oxHSrmD7x2x76ZyWmW/zMYEdoeYsNjwGoC2PK7YWerKb2zJVQ0sKZDHkJ+fB
    U00bHGAwGdGH46G6mSpCAhqJ2/V8pbZRodI+Lvl9xvXk4NCiSJpojOCrvMqKGg==
    -----END CERTIFICATE REQUEST-----


    --- End --- (NOTE:This line is not part of the certificate request.)

    Redisplay enrollment request? [yes/no]: no

    ciscoasa(config)#

     

  10. Once the CSR has been created, proceed to Enrollment.


Once the SSL certificate has been issued, refer to this link for installation instructions.


Cisco

            For additional information, please refer to Cisco ASA 5000 series
 

Disclaimer:

RapidSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, RapidSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. RapidSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document.  Further, RapidSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. RapidSSL reserves the right to make changes to any information herein without further notice.

Contact Support

US Support:

Order Processing

Technical Support

European Support:

Order Processing

Technical Support

SSL digital certificates sales live chat.

Find Answers


Search Tips