How to Generate Certificate Signing Request Signing Request (CSR) in Cisco ASA 5000 Series using Command Line

Description

This document provides instructions for generating a Certificate Signing Request (CSR) for Cisco ASA 5000 Series using Command Line. If you are unable to use these instructions for your server, RapidSSL recommends that you contact Cisco.

NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.

Step 1: Verify that the date, time, and time zone values are accurate.

1.      You can verify the date, time, and time zone by running the following command:

         ciscoasa#show clock

         For example: 11:02:20.244 UTC Thu Jul 19 2012

Step 2: Create a certificate private key

        NOTE: All certificates that will expire after October 2013 must have a 2048 bit key size

1.      Before generating a CSR request, you must create a private key. You can do this by the following command:

         ciscoasa#conf t

         ciscoasa(config)#crypto key generate rsa label <key_file_name>.key modulus 2048

         INFO: The name for the keys will be: <key_file_name>.key

         Keypair generation process begin. Please wait...

Step 3: Create a Trustpoint

1.    Once the private key is created, you will then need to create a trustpoint for your key. This will allow you to generate the DN information for your new CSR.

       Input the following command to create your trustpoint:

       ciscoasa(config)#crypto ca trustpoint <key_file_name>.trustpoint

2.    Provide your CSR attributes to  your trustpoint:

       ciscoasa(config-ca-trustpoint)#subject-name CN=www.domain.com,OU=Support, O=Company Inc.,C=US,St=California,L=Mountain View

CN= FQDN (Full Qualified Domain Name) that will be used for connections to your firewall.

NOTE: RapidSSL certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain"domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

OUDepartment Name. For example: Support

O= Company Name (Avoid using Special Characters). For example, Company Inc.

C= Country Code (2 Letter Code without Punctuation)

St= State (Must be spelled out completely.) For example, California

L= City

3.    Specify Key pair created in step 2:

       ciscoasa(config-ca-trustpoint)#keypair <key_file_name>.key

4.    Specify the Common Name for your certificate request (Please input the FDQN specified in step 3):

       ciscoasa(config-ca-trustpoint)#fqdn www.domain.com 

5.    Specify manual enrollment:

       ciscoasa(config-ca-trustpoint)#enrollment terminal

6.    Exit manual enrollment and initiate your certificate signing request. 

       This is the request to be submitted to our enrollment page.

       To exit the manual enrollment and initiate your certificate, input these commands:

       ciscoasa(config-ca-trustpoint)#exit

       ciscoasa(config)#crypto ca enroll <key_file_name>.trustpoint

       NOTE: This step will initiates certificate signing request. This is the request you will be submitting to RapidSSL during your enrollment or renewal process. 

       The output will look like this example:

       Start certificate enrollment ..

       The subject name in the certificate will be: CN=www.domain.com,OU=Support,

       O=Company Inc.,C=US,St=California,L=Mountain View

7.    You will now be prompted to validate the information you have submitted. 

       The information will look like the following example:

       The fully-qualified domain name in the certificate will be: www.domain.com

       NOTE:  Do not include the device serial number in the subject name Include the device serial number in the subject name? [yes/no]: no
 
8.    Display your CSR file

       This step will display your CSR on your terminal session. You will want to copy and paste the entire CSR file. Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer. 
          
9.    Once copied, paste this information into a text editor that does not add extra characters (Notepad or Vi are recommended).  

       Display Certificate Request to terminal? [yes/no]: yes

       Certificate Request follows:

       -----BEGIN CERTIFICATE REQUEST-----
       MIICwTCCAakCAQAwfDEXMBUGA1UEAxMOd3d3LmRvbWFpbi5jb20xFTATBgNVBAoT
       DENvbXBhbnkgSW5jLjEQMA4GA1UECxMHU3VwcG9ydDEWMBQGA1UEBxMNTW91bnRh
       aW4gVmlldzETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMwggEiMA0G
       CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+ySPuctHzaADLUZXVCk6xlaQcGLOq
       HDCtAQZ0k7M8MLGiGIjEYx2l3+tFO4QivUC9HCOWFxAkBD0rzgAUJL/b513T2iQo
       oXca5dhrAJQgxO1o2LFYt9uHVdJPDpFlWrtf5W5U+K3hdzAwEmqKlsS9LX+Tm7e5
       I/bOAqiTUKB39T7oc7ETy9A5PvqJVc+ZcVuj3VaAZwcKkhLnM9l5xXlyVz0YXzck
       rsZg5VT9y+pqCLPB0yqChbEYARyM0YLiyNAFAZTILqM5Hm1JxqT4X+kQXZ93qGae
       aLRFynfRrzHLoBD8uW6iOHMaaOb+krTA2OUd8Z82c9Io+UxIUid7v9q9AgMBAAGg
       ADANBgkqhkiG9w0BAQQFAAOCAQEAAj9A+T/Q+5V/ufiJr+zKf8Xm3wcafCPxMIRr
       2Phoas1P0AgziAwPI+xfit2s9iGoS7hQ9TCIlCIzgc9kcI4iZrRHWgXGPJcbQ01l
       vScldwuua2wPm9TqEJ/YFwmbtzgRohvDq6I3/zfi//HKGkxLtX1ps/AmYlR7pRmd
       jdBCObw8bKn+ytEcug9CoZwyimS9nn3AJpcJnaXgkLGOEMOhXnab5w8qHNmimPvw
       icec/tsC+n4/BYZ/JvttRHlX03dI189KFrka/16OhCXY7eraOJs9eXnPycS1yZDd
       fCpQitebUCCCZ3X7sHXN2L5b+n+s3rfCICTEVa/9NND4FdK8aQ==
       -----END CERTIFICATE REQUEST-----

       ---End --- (NOTE:This line is not part of the certificate request.)

       Redisplay enrollment request? [yes/no]: no

       ciscoasa(config)# 

10.  Verify your CSR

11.  Once the CSR has been created and validated, proceed to Enrollment.

Cisco

      For additional information, please refer to Cisco ASA 5000 series

 

 

 

Disclaimer:

WarungSSL has made efforts to ensure the accuracy and completeness of the information in this document. However, WarungSSL makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. WarungSSL assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document.

Further, WarungSSL assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Geotrust reserves the right to make changes to any information herein without further notice.

Close

We uses cookies to remember and process the items in your shopping cart as well as to compile aggregate data about site traffic and interactions so that we can continue improving your experience on our site.