fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Cisco ASA - How do I generate a CSR ?

A Certificate Signing Request (CSR) is a base-64 encoded (PEM based) string which is generated using the users public key along with a number of attributes provided by the user such as DN, email, address etc. The CSR is then sent to the CA which it then uses to create a public certificate. The public certificate is then signed and sent back to the user. The benefit of using a CSR is that the private key never leaves the client.

Below, We provide the necessary steps to generate a CSR on a Cisco ASA.

Generate Key Pair

First of all we create a key pair (private/public key)

ciscoasa#conf t
ciscoasa(config)#crypto key generate rsa label fir3net.key modulus 1024

INFO: The name for the keys will be: fir3net.key
Keypair generation process begin. Please wait...

Create Trustpoint

Next a trust point is created. Within the trustpoint the previously created key pair is assigned and certificates DN is defined.

ciscoasa(config)#crypto ca trustpoint my.thwart.trustpoint
ciscoasa(config-ca-trustpoint)#subject-name CN=webvpn.fir3net.com,OU=lab,O=cisco.com,C=UK,St=Hants,L=Winchester
ciscoasa(config-ca-trustpoint)#keypair fir3net.key
ciscoasa(config-ca-trustpoint)#fqdn webvpn.cisco.com
ciscoasa(config-ca-trustpoint)#enrollment terminal
ciscoasa(config-ca-trustpoint)#exit

Generate CSR

Finally we generate the actual CSR. From this a base64 encoded PEM is created. This string is then sent to the CA, which is used to generate the pubic certificate.

ciscoasa(config)#crypto ca enroll my.thwart.trustpoint

% Start certificate enrollment ..
% The subject name in the certificate will be: CN=webvpn.fir3net.com,OU=lab,O=cisco.com,C=UK,St=Hants,L=Winchester
% The fully-qualified domain name in the certificate will be: ebvpn.fir3net.com
% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

MIICHjzCAYcCAQAwgaAxEDAOBgNVBAcTB1JhbGVpZ2gxFzAVBgNVBAgTDk5vcnRo
IENhcm9saW5hMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEO
MAwGA1UECxMFVFNXRUIxGzAZBgNVBAMTEmNpc2NvYXNhLmNpc2NvLmNvbTEhMB8G
CSqGSIb3DQEJAhYaY2lzY29hc2EuY2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCmM/2VteHnhihS1uOj0+hWa5KmOPpI6Y/MMWmqgBaB9M4yTx5b
Fm886s8F73WsfQPynBDfBSsejDOnBpFYzKsGf7TUMQB2m2RFaqfyNxYt3oMXSNPO
m1dZ0xJVnRIp9cyQp/983pm5PfDD6/ho0nTktx0i+1cEX0luBMh7oKargwIDAQAB
oD0wOwYJKoZIhvcNAQkOMS4wLDALBgNVHQ8EBAMCBaAwHQYDVR0RBBYwFIISY2lz
Y29hc2EuY2lzY28uY29tMA0GCSqGSIb3DQEBBAUAA4GBABrxpY0q7SeOHZf3yEJq
po6wG+oZpsvpYI/HemKUlaRc783w4BMO5lulIEnHgRqAxrTbQn0B7JPIbkc2ykkm
bYvRt/wiKc8FjpvPpfOkjMK0T3t+HeQ/5Qllx2Y/vrqs+Hg5SLHpbhj/Uo13yWCe
0Bzg59cYXq/vkoqZV/tBuACr

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no
ciscoasa(config)#


Reference

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml

Tags: ASA

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001