Cisco ASA – How do I generate a CSR ?

A Certificate Signing Request (CSR) is a base-64 encoded (PEM based) string which is generated using the users public key along with a number of attributes provided by the user such as DN, email, address etc. The CSR is then sent to the CA which it then uses to create a public certificate. The public certificate is then signed and sent back to the user. The benefit of using a CSR is that the private key never leaves the client.

Below, We provide the necessary steps to generate a CSR on a Cisco ASA.

Generate Key Pair

First of all we create a key pair (private/public key)

ciscoasa#conf t
ciscoasa(config)#crypto key generate rsa label fir3net.key modulus 1024

INFO: The name for the keys will be: fir3net.key
Keypair generation process begin. Please wait…

Create Trustpoint

Next a trust point is created. Within the trustpoint the previously created key pair is assigned and certificates DN is defined.

ciscoasa(config)#crypto ca trustpoint my.thwart.trustpoint
ciscoasa(config-ca-trustpoint)#subject-name CN=webvpn.www.fir3net.com,OU=lab,O=cisco.com,C=UK,St=Hants,L=Winchester
ciscoasa(config-ca-trustpoint)#keypair fir3net.key
ciscoasa(config-ca-trustpoint)#fqdn webvpn.cisco.com
ciscoasa(config-ca-trustpoint)#enrollment terminal
ciscoasa(config-ca-trustpoint)#exit

Generate CSR

Finally we generate the actual CSR. From this a base64 encoded PEM is created. This string is then sent to the CA, which is used to generate the pubic certificate.

ciscoasa(config)#crypto ca enroll my.thwart.trustpoint

% Start certificate enrollment ..
% The subject name in the certificate will be: CN=webvpn.www.fir3net.com,OU=lab,O=cisco.com,C=UK,St=Hants,L=Winchester
% The fully-qualified domain name in the certificate will be: ebvpn.www.fir3net.com
% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

MIICHjzCAYcCAQAwgaAxEDAOBgNVBAcTB1JhbGVpZ2gxFzAVBgNVBAgTDk5vcnRo
IENhcm9saW5hMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEO
MAwGA1UECxMFVFNXRUIxGzAZBgNVBAMTEmNpc2NvYXNhLmNpc2NvLmNvbTEhMB8G
CSqGSIb3DQEJAhYaY2lzY29hc2EuY2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCmM/2VteHnhihS1uOj0+hWa5KmOPpI6Y/MMWmqgBaB9M4yTx5b
Fm886s8F73WsfQPynBDfBSsejDOnBpFYzKsGf7TUMQB2m2RFaqfyNxYt3oMXSNPO
m1dZ0xJVnRIp9cyQp/983pm5PfDD6/ho0nTktx0i+1cEX0luBMh7oKargwIDAQAB
oD0wOwYJKoZIhvcNAQkOMS4wLDALBgNVHQ8EBAMCBaAwHQYDVR0RBBYwFIISY2lz
Y29hc2EuY2lzY28uY29tMA0GCSqGSIb3DQEBBAUAA4GBABrxpY0q7SeOHZf3yEJq
po6wG+oZpsvpYI/HemKUlaRc783w4BMO5lulIEnHgRqAxrTbQn0B7JPIbkc2ykkm
bYvRt/wiKc8FjpvPpfOkjMK0T3t+HeQ/5Qllx2Y/vrqs+Hg5SLHpbhj/Uo13yWCe
0Bzg59cYXq/vkoqZV/tBuACr

—End – This line not part of the certificate request—

Redisplay enrollment request? [yes/no]: no
ciscoasa(config)#

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial