Cisco ASA SSL Administration

Download PDF

Introduction

 

When ordering an SSL certificate a Certificate Signing Request (CSR) is required, This is generated from a private key.

 

If you wish to generate the private key yourself you also need to generate the CSR, follow Generating the CSR and afterwards Installation of certificate from CSR.

 

If the CSR has been created outside the Cisco ASA you need the certificate an private key in a .PFX (PKCS12) file. Follow Installation of certificate from .PFX file

 

Generating the CSR

 

  1. Open the Cisco control panel.

 

  1. Click Configuration.

On the left side click Remote Acess VPN.

Expand Certificate Management.

Click Identity Certificates.

In the centre click Add.

 

  1. Enter a Trustpoint Name that makes it easy to see what it is for, e.g. the DNS name and year.

Flag Add a new identity certificate.

Click New on the right side next to Key Pair.

 

 

  1. Select the type of key you wish to use, RSA is the default key type today.

Give the key a name so it's easy to identify it, e.g. the DNS name followed by .key

Select the key size, at least 2048 for RSA and 256 for ECDSA.

Select General purpose.

Click Generate Now.

 

 

  1. Enter the following information:

 

    • Common Name (CN): The primary fully qualified domain name. e.g.: vpn.fairssl.dk
    • Organization Name (O): The full company name exactly as it is presented in CVR. e.g.: FairSSL A/S
    • Location (L): The city name. e.g.: Ørum Djurs
    • State (St): The state or municipality, in Denmark the municipality is used. e.g.: Norddjurs
    • Country (C): ISO-standard two-letter country code, must be capitalised. e.g.: DK

 

Select the type in Attribute.

Enter the information in Value.

Click Add.

Click OK when all the information has been entered.

 

 

  1. Flag Enable CA flag in basic constraints extension.

Click Advanced on the right.

 

 

  1. Enter the DNS name in FQDN.

Click OK.

 

 

  1. Click Add Certificate.

Select where you wish to save the CSR file.

Click OK.

 

 

  1. Open the CSR file with a text editor (e.g. notepad) and copy the entire text, incl. all the dashes at the beginning and end.

During the certificate ordering process you paste the text into the CSR field.

The following is an example of a complete CSR text:

 

 

A CSR does not contain any confidential information, and there is no security risk by sending it through an unencrypted mail or similar.

 

Installation of certificate from CSR

 

It is important to install the intermediate certificate before the server certificate.

 

Installation of intermediate certificates

 

  1. Open the Cisco control panel.

 

  1. Click Configuration.

On the left click Remote Acess VPN.

Expand Certificate Management.

Click CA Certificates.

 

  1. Enter the Trustpoint Name you created during CSR generation.

Either select the intermediate certificate file, or copy the text directly from the email into paste certificate in PEM format:.

Click Install Certificate.

 

 

Installation of server certificate

 

  1. Click Configuration.

On the left click Remote Acess VPN.

Expand Certificate Management.

Click Identity Certificates.

Select the certificate that has the Associated Trustpoint name you created during CSR generation.

Select your certificate file.

Click Install Certificate.

 

 

  1. Click Configuration.

On the left click Remote Acess VPN.

Expand Advanced.

Click SSL Settings.

Under Certificates select the interface you wish to use the certificate with.

Click Edit.

Select the certificate you just installed.

Click OK.

Click Apply.

 

 

We recommend that you test the installation with our server tester at: https://www.fairssl.net/en/ssltest

 

Installation of certificate from .PFX file

 

  1. Open the Cisco control panel.

 

  1. Click Configuration.

On the left click Remote Acess VPN.

Expand Certificate Management.

Click Identity Certificates.

In the centre click Add.

 

  1. Enter a Trustpoint Name that makes it easy to see what it is for, e.g. the DNS name and year.

Flag Import the identity certificate from a file.

Enter the password for the .PFX file in Decryption Passphrase (If you have used CSR-service the password will be the code you received through SMS).

Select the .PFX file.

Click Add Certificate.

 

 

  1. Click Configuration.

On the left click Remote Acess VPN.

Expand Advanced.

Click SSL Settings.

Under Certificates select the interface you wish to use the certificate with.

Click Edit.

Select the certificate you just installed.

Click OK.

Click Apply.

 

 

We recommend that you test the installation with our server tester at: https://www.fairssl.net/en/ssltest

 

 

Intermediate certificates

 

Here you can find the intermediate certificates from different Certificate Authorities.

We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.

 

Intermediate certificates