Generating the Certificate Signing Request (CSR)

Step1. Create a keypair 

crypto key generate rsa label <label> modulus <key_size>

Step2. Create a trustpoint ## The trustpoint is a container for certificates and keys used by the Cisco ASA
crypto ca trustpoint <name>

Step3. Specify the terminal will be used to generate the certificate request (CSR) and response.
enrollment terminal

Step4. Specify the Fully Qualified Domain Name for the trustpoint.  The FQDN will be included in the certificate request.
fqdn vpn.pinnacleems.com

Step5. Specify the Subject Name.  This defines the Distinguished Name (DN) of the subject in the certificate.
subject-name CN=vpn.pinnacleems.com,O=Pinnacle EMS,C=US

Step6. Specify the keypair that was created in step 1.
keypair trustpoint00

Step7. Exit the trustpoint configuration
exit

Step8. Enroll the trustpoint. This will generate the Certificate Signing Request (CSR) that you will submit the Certificate Authority (CA).
crypto ca enroll <name>

The CSR will look something like:

–BEGIN CERTIFICATE REQUEST—–
MIIBIjCB0AIBADCBgKCBjDEUMBIGA1UEAwwLbXl3ZWJzaXRlLmNvbTELMAkGA1UE
BhMCVVMxDjAMBgNVBAoMBUNvbXBhbnkxEjAQBgNVBAcMCU5ldyBZb3JrMQswCQYD
VQQIDAJOWTEPMA0GA1UEBwwGRGFsbGFzMB4XDTIxMDEwMTAwMDAwMFoXDTIxMDEw MTEwMDAwMFowgYAxCzAJBgNVBAYTAlVTMQ4wDAYDVQQKDAVDb21wYW55MRIwEAYD
VQQHDAlOZXcgWW9yaywxDTALBgNVBAgMBE5ZMQ8wDQYDVQQHDAZEYWxsYXMxCzAJ
BgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnxEBCZ8K …
–END CERTIFICATE REQUEST—–

Applying the certificate to the Cisco ASA

Once you have received the signed certificate back from the Certificate Authority (CA) you can perform the following:

Step1. Import the Certificate Authorities (CA) root certificate into the trustpoint created in step2.

Crypto ca authenticate <trustpoint>

You will be promoted to copy and paste the CA certificate which will look something like:

–BEGIN CERTIFICATE—–
MIIDdzCCAl+gAwIBAgIEbGxsZzANBgkqhkiG9w0BAQUFADCBiDEUMBIGA1UEAwwL …
–END CERTIFICATE—–

Step 2. Import the identity certificate for the device

crypto ca import <trustpoint> certificate

Step3. Apply the certificate to the appropriate interface on the Cisco ASA

ssl trust-point <trustpoint> <if_name>

Posted in: Misc Stuff