How to configure your ASA as a CA Server

Within this tutorial we will show you the nessecary steps in configuring your ASA as a CA server.


First of all we set the time and date. 

asa-skyn3t(config)# show clock
08:05:40.249 UTC Sun Sep 30 2012

Enable CA

Next we enable the ASA as a CA server. 

asa-skyn3t(config)# crypto ca server
asa-skyn3t(config-ca-server)# subject-name-default cn=skyn3tca, o=skyn3t, c=UK
asa-skyn3t(config-ca-server)# no shutdown

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: **********

Re-enter passphrase: **********

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
Certificate Server enabled.


 If at any point you need to clear the CA server configuration from your ASA, the following commands are used.

asa-skyn3t(config)# clear configure crypto ca server
INFO: Local CA Server has been removed. 

Enable Web Access

Next we enable webaccess. 

asa-skyn3t(config)#  webvpn
asa-skyn3t(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on 'inside'. 

Create User Certificate

We then create a certificate for 'user1'. This then provides us with the One Time Password that we can use shortly to download the certificate.  

asa-skyn3t(config)# crypto ca server user-db add user1
asa-skyn3t(config)# crypto ca server user-db allow user1 display-otp

Username: user1
OTP: 609A014A394E4F98
Enrollment Allowed Until: 08:07:25 UTC Wed Oct 3 2012

Download Certificate

Next, download the certificate via a browser by going to https://<ASA IP/HOSTNAME>/+CSCOCA+/login.html and using the previously supplied One Time Password. 

Show CA User Database

To confirm that the user enrollment details the following show command is used, 

asa-skyn3t#  sh crypto ca server user-db
username: user1
email:    <None>
dn:       <None>
allowed:  08:07:25 UTC Wed Oct 3 2012
notified: 1 times
enrollment status: Enrolled, Certificate valid until 08:10:13 UTC Mon Sep 30 2013,
Renewal: Allowed

Install / Test Certificate 

As you will appreciate there are a number of VPN methods and ways that you can use the previously created user certificate.

A quick way to test your certificate is to try and connect using WebVPN.

Here are the steps:

  1. Import the downloaded certificate into your web browsers certificate store.
  2. Change the ASA default WebVPN group to certificate based authentication.  

asa-skyn3t(config)# tunnel-group DefaultWEBVPNGroup webvpn-attributes
asa-skyn3t(config-tunnel-webvpn)# authentication certificate
asa-skyn3t(config-tunnel-webvpn)# exit

  3. Connect to WebVPN via https://<ASA> IP/HOSTNAME>
  4. Your browser will then ask you to choose a digital certificate to authenticate with. 

Tags: ASA

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001