How to Generate Certificate Signing Request Signing Request (CSR) in Cisco ASA 5000 Series using Command Line


This document provides instructions for generating a Certificate Signing Request (CSR) for Cisco ASA 5000 Series using Command Line. If you are unable to use these instructions for your server, RapidSSL recommends that you contact Cisco.

NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.

Step 1: Verify that the date, time, and time zone values are accurate.

1.      You can verify the date, time, and time zone by running the following command:

         ciscoasa#show clock

         For example: 11:02:20.244 UTC Thu Jul 19 2012

Step 2: Create a certificate private key

        NOTE: All certificates that will expire after October 2013 must have a 2048 bit key size

1.      Before generating a CSR request, you must create a private key. You can do this by the following command:

         ciscoasa#conf t

         ciscoasa(config)#crypto key generate rsa label <key_file_name>.key modulus 2048

         INFO: The name for the keys will be: <key_file_name>.key

         Keypair generation process begin. Please wait...

Step 3: Create a Trustpoint

1.    Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR.

       Input the following command to create your trustpoint:

       ciscoasa(config)#crypto ca trustpoint <key_file_name>.trustpoint

2.    Provide your CSR attributes to  your trustpoint:

       ciscoasa(config-ca-trustpoint)#subject-name,OU=Support, O=Company Inc.,C=US,St=California,L=Mountain View

CN= FQDN (Full Qualified Domain Name) that will be used for connections to your firewall.

NOTE: RapidSSL certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain"" will receive a warning if accessing a site named "" or "", because "" and "" are different from "".

OUDepartment Name. For example: Support

O= Company Name (Avoid using Special Characters). For example, Company Inc.

C= Country Code (2 Letter Code without Punctuation)

St= State (Must be spelled out completely.) For example, California

L= City

3.    Specify Key pair created in step 2:

       ciscoasa(config-ca-trustpoint)#keypair <key_file_name>.key

4.    Specify the Common Name for your certificate request (Please input the FDQN specified in step 3):


5.    Specify manual enrollment:

       ciscoasa(config-ca-trustpoint)#enrollment terminal

6.    Exit manual enrollment and initiate your certificate signing request. 

       This is the request to be submitted to our enrollment page.

       To exit the manual enrollment and initiate your certificate, input these commands:


       ciscoasa(config)#crypto ca enroll <key_file_name>.trustpoint

       NOTE: This step will initiates certificate signing request. This is the request you will be submitting to RapidSSL during your enrollment or renewal process. 

       The output will look like this example:

       Start certificate enrollment ..

       The subject name in the certificate will be:,OU=Support,

       O=Company Inc.,C=US,St=California,L=Mountain View

7.    You will now be prompted to validate the information you have submitted. 

       The information will look like the following example:

       The fully-qualified domain name in the certificate will be:

       NOTE:  Do not include the device serial number in the subject name Include the device serial number in the subject name? [yes/no]: no
8.    Display your CSR file

       This step will display your CSR on your terminal session. You will want to copy and paste the entire CSR file. Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer. 
9.    Once copied, paste this information into a text editor that does not add extra characters (Notepad or Vi are recommended).  

       Display Certificate Request to terminal? [yes/no]: yes

       Certificate Request follows:


       ---End --- (NOTE:This line is not part of the certificate request.)

       Redisplay enrollment request? [yes/no]: no


10.  Verify your CSR

11.  Once the CSR has been created and validated, proceed to Enrollment.


      For additional information, please refer to Cisco ASA 5000 series





WarungSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, WarungSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. WarungSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document.

Further, WarungSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Geotrust reserves the right to make changes to any information herein without further notice.


We uses cookies to remember and process the items in your shopping cart as well as to compile aggregate data about site traffic and interactions so that we can continue improving your experience on our site.