To generate a Certificate Signing Request (CSR) for Cisco ASA 5510, a key pair must be created for the server. These two items are a public key and a private key pair and cannot be separated. Like all key pairs the private key once created will remain on the system where the CSR is made. The CSR public key is what you will submit to a Certificate Authority (CA) to get the public key signed.
To generate a CSR on Cisco ASA 5510 perform the following.
Step 1: Generate a key pair
- Within ASDM, click Configuration > Device Management
- Click Certificate Management > Identity Certificates > Add > Add a new identity certificate
- For the Key Pair, click New > Enter new key pair name
- Enter a unique key pair name for the certificate
- Select the key size as 2048
- To complete the generation of the key pair, click Generate Now
Step 2: Generate a certificate signing request (CSR) file
- To enter certificate information, click Select
- From the drop-down list, select the following attributes > enter value > click Add
- The following fields are required:
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.
Note: SSL ertificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because “www.domain.com” and “secure.domain.com” are different from “domain.com”.
Note: Wildcard SSL Certificate will not operate on Cisco ASA systems by design. Only Subject Alternative Name Certificates are allowed for more information click here.
- Once the appropriate values are added, click OK > Advanced
- In the FQDN field, enter the FQDN that will be used to access the device from the Internet:
Note – If enrolling for a Subject Alternative Name certificate leave this field blank. - Click OK > Add Certificate > Browse
- Specify a location where to save the request file.
You have successfully created your CSR and can proceed with enrollment.
If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.
For CISCO ASA SSL installation instructions click here.