How to create SSL CSR and install Certificate on Cisco ASA

Mental note: how to request SSL certificate on Cisco ASA:

 

Verify that time is accurate

vpn# sh clock
06:46:19.172 GMT Fri Dec 4 2015
vpn#
vpn# sh run ntp
ntp server x.x.x.x source outside
ntp server x.x.x.x source outside prefer
vpn# sh ntp status
Clock is synchronized, stratum 3, reference is x.x.x.x
nominal freq is 99.9984 Hz, actual freq is 99.9996 Hz, precision is 2**6
reference time is da0bb44c.256d5214 (06:42:20.146 GMT Fri Dec 4 2015)
clock offset is 0.0742 msec, root delay is 12.12 msec
root dispersion is 46.77 msec, peer dispersion is 15.82 msec
vpn#

Verify that the combination <hostname>.<domain-name> equals the fqdn of the certificate CN.

vpn(config)#hostname vpn
vpn(config)#domain-name domain.com

If it does not match, you will get the following error message when enrolling the csr:

WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

 

Create key-pair

vpn(config)# crypto key generate rsa label sslcert-keypair modulus 2048 noconfirm
INFO: The name for the keys will be: sslcert-keypair
Keypair generation process begin. Please wait...
vpn(config)#

Create and configure trustpoint

Refer to the earlier created key-pair. Also make sure that CN matches hostname+domain-name. Many root CA:s requires company name in the O= (organization) field and also correct country code in the SE= field.

vpn(config)# crypto ca trustpoint sslcert-trustpoint
vpn(config-ca-trustpoint)# subject-name CN=vpn.domain.com,L=City,ST=State,O=ACME Inc,C=SE
vpn(config-ca-trustpoint)# keypair sslcert-keypair
vpn(config-ca-trustpoint)# fqdn vpn.domain.com
vpn(config-ca-trustpoint)# enrollment terminal

Enroll

vpn(config)# crypto ca enroll sslcert-trustpoint
% Start certificate enrollment .. 
% The subject name in the certificate will be: CN=vpn.domain.com,O=ACME Inc,C=SE

% The fully-qualified domain name in the certificate will be: vpn.domain.com

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
MIIC1DCCAbwCAQAwVjELMAkGA1UEBhMCU0UxFTATBgNVBAoTDEJqdXZzIEtvbW11
bjEUMBIGA1UEAxMLdwBuLmJqdXYuc2UxGjAYBgkqhkiG9w0BCQIWC3Zwbi5ianV2
LnNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/d2HneWc2l/ru+q
sJu2M2vdgNln9k2wtuDxmKcrbp3Caf+qY89La3o1XGS6GovhLYPCx/+Xa9JzzWRc
alCMKk1F5UvS1a0FQvHeHEec+TQoZOEKgxmrPJaKdPyU/IcFyUPGRZaxe09FSBvY
y690ETtHFgibK+aKjr2l4d9Lx9auUmPtKIWPccujIUM2+47Fy8hhO/bNjC4GNOw1
rgyip1nWFEUHZOv3CbRcV/cnbo2aWL7ZmnSP5w+Tc13kyZVRIL2A/cHJk1vw118B
CspH3K0k919VQIsl78/6sHv/VEx1+59lWG7OO3buUY/Y1xcXPML+GkiuVw9j+cIa
FaCt4QIDAQABoDkwNwYJKoZIhvcNAQkOMSowKDAOBgNVHQ8BAf8EBAMCBaAwFgYD
VR0RBA8wDYILdnBuL1JqdXYuc2UwDQYJKoZIhvcNAQEFBQADggEBAKjLGKZngbb2
mnX/2dbOfZoC7v/t0ES8o0YQupbWfTaHfSEOD6N3AklVbX4a508AnPSAvbPUX8iv
Cp/lYhVNmt2xNqjWmjjXhDAbZnRr/gXNJiPZAGzDTdWfw3DkUkwvzAyHyDJfHSVY
j+8kdNwED94ULVxG72VHIqTH5ncrJ61KqAurQFtvJs7ao29e+vnMWJPRIMcZZPvD
Dqr+kNWI/GSA8LUg8M6hT8XQvbnN1M7UY5OGgrME1EO1dBwwdGpRDy7nCf9AgOqI
sFjDmfIQ7LYOoXspXJXGqv/ye/I044CB4AAsShf7pscX0DmS7r+64SZsJxGdVzMU
EjVXcdN57GI=
-----END CERTIFICATE REQUEST-----

Redisplay enrollment request? [yes/no]: no
vpn(config)# 

Send the CSR (the garbage between the —– lines) to the CA and wait for a reply

When the reply comes back from CA it will include a base-64 encoded certificate. Paste the junk when prompted as shown below…


vpn(config)# crypto ca import sslcert-trustpoint certificate 
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: 


Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIWE8TCCA9mgAwIBAgISESFaa2+V3Pv4L8cqGL6ZctLJMA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbXFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTUxMjA3MjIyMjQwWhcNMTgxMjA3MjIyMjQwWjBGMQswCQYDVQQGEwJT
RTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQDEwt2
cG4uYmp1di5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALP3dh53
lnNpf67vqrCbtjNr3YDZZ/ZNsLbg8ZinK26dwmn/qmPPS2t6NVxkuhqL4S2Dwsf/
l2vSc81kXGpQjCpNReVL0tWtBULx3BxHnPk0KGThCoMZqzyWinT8lPyHBclDxkWW
sXtPRUgb2MuvdBE7RxYImyvmio69peHfS8fWrlJj7SiFj3HLoyFDNvuOxcvIYTv2
zYwuBjTsNa4Moqdd1hRFB2Tr9wm0dVf3J26Nmli+2Zp0j+cPk3Nd5MmVUSC9gP3B
yZNb8NdfAQrKR9ytJPdfVUCLJe/P+rB7/1RMdfufZVhuzjt27lGP2NcXFzzC/hpI
rlcPY/nCGhWgreECAwEAAaOCAb0wggG5MA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAE
QjBAMD4GBmeBDAECATA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxz
aWduLmNvbS9yZXBvc2l0b3J5LzAWBgNVHREEDzANggt2cG4uYmp1di5XZTAJBgNV
HRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBDBgNVHR8EPDA6
MDigNqA0hjJodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzL2dzZG9tYWludmFs
c2hhMmcyLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwRwYIKwYBBQUHMAKGO2h0dHA6
Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZG9tYWludmFsc2hhMmcy
cjEuY3J0MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20v
Z3Nkb21haW52YWxzaGEyZzI1HQYDVR0OBBYEFObizS0jMNVzX5OqUkOUML02+XUX
MB8GA1UdIwQYMBaAFOpOfNSALeUVgYYmjIJtwJikz5cPMA0GCSqGSIb3DQEBCwUA
A4IBAQB2Ln0H9omBRfocT+LxrGrOrwKUpsyAM2DWORIRz0rtzPHs38FVhdfJvk+1
8fmWoyd/K35dxq+a2LOuTZRYTVwlNqTqeOPrMMbIiNO9WVtM9avJPITYn9Emu4q8
eflKmjZW+uED8NDAtqPMY8Q1Idq2FxhqM4rkhbYJI41Cd5jbFhWitXsSxpM2iYQa
yyunK5mdYfldxWELCttUwA840NjVCHULzdDf3E4iF1Er3hrE+O1N18i5pQ7m/sp2
6mjkGKSzNxDYWAm4UySWKhoZpgRlpisr0oKwT1nNxFiJfCZA67+b5zBZELJYfiy4
eiTy7n1hWPfvoo/GkD00BdgKk4mL
-----END CERTIFICATE-----
quit
INFO: Certificate successfully imported
vpn(config)# ssl trust-point sslcert-trustpoint outside 

The last command applies the installed trustpoint-certificate to all SSL connections on the outside interface.

Posted in Uncategorized
One comment on “How to create SSL CSR and install Certificate on Cisco ASA
  1. Coralee says:

    Just do me a favor and keep writing such trhecnant analyses, OK?

Leave a Reply

Your email address will not be published.

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test