Certficate Signing Request - Creation of CSR ============================================= ciscoasa(config)# crypto key generate rsa label test.com modulus 2048 INFO: The name for the keys will be: test.com Keypair generation process begin. Please wait... ciscoasa(config)# cry ciscoasa(config)# crypto c ciscoasa(config)# crypto ca tr ciscoasa(config)# crypto ca trustpoint test.com ciscoasa(config-ca-trustpoint)# sub ciscoasa(config-ca-trustpoint)# subject-name CN=test.com, OU=SALES, O=ABC, C=I$ ciscoasa(config-ca-trustpoint)# key ciscoasa(config-ca-trustpoint)# keyp ciscoasa(config-ca-trustpoint)# keypair test.com ciscoasa(config-ca-trustpoint)# f ciscoasa(config-ca-trustpoint)# fq ciscoasa(config-ca-trustpoint)# fqdn test.com ciscoasa(config-ca-trustpoint)# en ciscoasa(config-ca-trustpoint)# enr ciscoasa(config-ca-trustpoint)# enrollment ter ciscoasa(config-ca-trustpoint)# enrollment terminal ciscoasa(config-ca-trustpoint)# ex ciscoasa(config)# cry ciscoasa(config)# crypto c ciscoasa(config)# crypto ca en ciscoasa(config)# crypto ca enroll test.com WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems. Would you like to continue with this enrollment? [yes/no]: yes % Start certificate enrollment .. % The subject name in the certificate will be: CN=test.com, OU=SALES, O=ABC, C=IN, St=KA, L=BLR % The fully-qualified domain name in the certificate will be: test.com % Include the device serial number in the subject name? [yes/no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: -----BEGIN CERTIFICATE REQUEST----- MIIC7TCCAdUCAQAwcjEMMAoGA1UEBxMDQkxSMQswCQYDVQQIEwJLQTELMAkGA1UE BhMCSU4xDDAKBgNVBAoTA0FCQzEOMAwGA1UECxMFU0FMRVMxETAPBgNVBAMTCHRl c3QuY29tMRcwFQYJKoZIhvcNAQkCFgh0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKzIftJ23PnQb/waS4VBcW6KUs6ekYkCQNZW3x3RZ6Ci uGNbN7va1sxjrNgZdrUYt98JjrmU60ZKeJnc3VzQjvRP+4+iIutvHAuAHFubtRIp kzz2o4GE99rrH+55sTQsIob7Bdbt6jPonwZw6aSXDvgNMr/s5ceeuqjzlbGVNgPf iykD1z+yD220aqeUxo+A1c0JtubD9Wefi/Gj23Xm1BuI6ZtmagiSGExoQLVFWeRP OrU8QIpyltJI1E7we7suIfGhxScAlh3QEDEHrYNosnnMiAWq4+prJfBB+iqATtqf nG107MZ127CfJYkY6ptjew4V/BVHfAcfBPTKKFfOfvsCAwEAAaA2MDQGCSqGSIb3 DQEJDjEnMCUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdEQQMMAqCCHRlc3QuY29tMA0G CSqGSIb3DQEBBQUAA4IBAQACR7671aCZLaumaRPJy1dhxE5pr1mf6eaNXpOPv8No E9lnO17aJd1bZNjp+915d+/8TwX3+msCKa6pp0XOhpcHxA8+hFJ7P/+BxhG6+b9Q WQglSVB8g2b3GLI/pDBsifJlwoPfgCxdT4STQ/FcHs6MGzeiNVO11TOlAvSscZUC ncUhypxHSqx548rES54XWpRaIjkndPU65MNFeGuee04wd/DVc0rgU4DC0EiWAOPr fWgFywTcvDbVYHxBEUV6E4cSQDoSKTdMpv9NkRSoCeAXOVMVpdoT1Khba7sLRmaA 1NYzatp8+CsJTqMeTYfv0kIcxk66hsiXrOdN9lCf0hXX -----END CERTIFICATE REQUEST----- Redisplay enrollment request? [yes/no]: no ciscoasa(config)# ##################################################################################### PLEASE COPY THE ABOVE CERTIFICATE INFO AS IT IS AND PROVIDE THAT TO CA AUTHORITY. 1) THEN THEY WILL PROVIDE YOU 3 CERTIFICATES NAMELY ROOT, INTERMEDIATE AND SSL. 2) ROOT AND INTERMEDIATE SHOULD BE COMBINED AND ADDED ONCE. 3) THEN SSL CERTIFICATE TO BE INSTALLED ##################################################################################### ##################################################################################### @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Steps for adding root and intermediate certificate @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ crypto ca authenticate test.com Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE REQUEST----- MIIC7TCCAdUCAQAwcjEMMAoGA1UEBxMDQkxSMQswCQYDVQQIEwJLQTELMAkGA1UE BhMCSU4xDDAKBgNVBAoTA0FCQzEOMAwGA1UECxMFU0FMRVMxETAPBgNVBAMTCHRl c3QuY29tMRcwFQYJKoZIhvcNAQkCFgh0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKzIftJ23PnQb/waS4VBcW6KUs6ekYkCQNZW3x3RZ6Ci uGNbN7va1sxjrNgZdrUYt98JjrmU60ZKeJnc3VzQjvRP+4+iIutvHAuAHFubtRIp kzz2o4GE99rrH+55sTQsIob7Bdbt6jPonwZw6aSXDvgNMr/s5ceeuqjzlbGVNgPf iykD1z+yD220aqeUxo+A1c0JtubD9Wefi/Gj23Xm1BuI6ZtmagiSGExoQLVFWeRP OrU8QIpyltJI1E7we7suIfGhxScAlh3QEDEHrYNosnnMiAWq4+prJfBB+iqATtqf nG107MZ127CfJYkY6ptjew4V/BVHfAcfBPTKKFfOfvsCAwEAAaA2MDQGCSqGSIb3 DQEJDjEnMCUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdEQQMMAqCCHRlc3QuY29tMA0G CSqGSIb3DQEBBQUAA4IBAQACR7671aCZLaumaRPJy1dhxE5pr1mf6eaNXpOPv8No E9lnO17aJd1bZNjp+915d+/8TwX3+msCKa6pp0XOhpcHxA8+hFJ7P/+BxhG6+b9Q WQglSVB8g2b3GLI/pDBsifJlwoPfgCxdT4STQ/FcHs6MGzeiNVO11TOlAvSscZUC ncUhypxHSqx548rES54XWpRaIjkndPU65MNFeGuee04wd/DVc0rgU4DC0EiWAOPr fWgFywTcvDbVYHxBEUV6E4cSQDoSKTdMpv9NkRSoCeAXOVMVpdoT1Khba7sLRmaA 1NYzatp8+CsJTqMeTYfv0kIcxk66hsiXrOdN9lCf0hXX -----END CERTIFICATE REQUEST----- -----BEGIN CERTIFICATE REQUEST----- ubD9Wefi/Gj23Xm1BuI6ZtmagiSGExoQLVFWeRP OrU8QIpyltJI1E7we7suIfGhxScAlh3QEDEHrYNosnnMiAWq4+prJfBB+iqATtqf nG107MZ127CfJYkY6ptjew4V/BVHfAcfBPTKKFfOfvsCAwEAAaA2MDQGCSqGSIb3 DQEJDjEnMCUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdEQQMMAqCCHRlc3QuY29tMA0G CSqGSIb3DQEBBQUAA4IBAQACR7671aCZLaumaRPJy1dhxE5pr1mf6eaNXpOPv8No E9lnO17aJd1bZNjp+915d+/8TwX3+msCKa6pp0XOhpcHxA8+hFJ7P/+BxhG6+b9Q WQglSVB8g2b3GLI/pDBsifJlwoPfgCxdT4STQ/FcHs6MGzeiNVO11TOlAvSscZUC ncUhypxHSqx548rES54XWpRaIjkndPU65MNFeGuee04wd/DVc0rgU4DC0EiWAOPr fWgFywTcvDbVYHxBEUV6E4cSQDoSKTdMpv9NkRSoCeAXOVMVpdoT1Khba7sLRmaA 1NYzatp8+CsJTqMeTYfv0kIcxk66hsiXrOdN9lCf0hXXMIIC7TCCAdUCAQAwcjE MMAoGA1UEBxMDQkxSMQswCQYDVQQIEwJLQTELMAkGA1UEASSDDWDFFFFWERFERF BhMCSU4xDDAKBgNVBAoTA0FCQzEOMAwGA1UECxMFU0FMRVMxETAPBgNVBAMTCHRl c3QuY29tMRcwFQYJKoZIhvcNAQkCFgh0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKzIftJ23PnQb/waS4VBcW6KUs6ekYkCQNZW3x3RZ6Ci uGNbN7va1sxjrNgZdrUYt98JjrmU60ZKeJnc3VzQjvRP+4+iIutvHAuAHFubtRIp kzz2o4GE99rrH+55sTQsIob7Bdbt6jPonwZw6aSXDvgNMr/s5ceeuqjzlbGVNgPf iykD1z+yD220aqeUxo+A1c0Jt -----END CERTIFICATE REQUEST----- QUIT (YOU HAVE TYPE QUIT AT END OF ADDING BOTH INTERMEDIATE AND ROOT CERTFICATE) INFO: Certificate has the following attributes: Fingerprint: 1bf0a720 ff896033 06213545 86d463a9 Do you accept this certificate? [yes/no]: YES ! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Steps for adding SSL certificate @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ciscoasa(config)# crypto ca import test.com certificate WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems. Would you like to continue with this enrollment? [yes/no]: yes % The fully-qualified domain name in the certificate will be: test.com Enter the base 64 encoded certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE REQUEST----- ubD9Wefi/Gj23Xm1BuI6ZtmagiSGExoQLVFWeRP OrU8QIpyltJI1E7we7suIfGhxScAlh3QEDEHrYNosnnMiAWq4+prJfBB+iqATtqf nG107MZ127CfJYkY6ptjew4V/BVHfAcfBPTKKFfOfvsCAwEAAaA2MDQGCSqGSIb3 DQEJDjEnMCUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdEQQMMAqCCHRlc3QuY29tMA0G CSqGSIb3DQEBBQUAA4IBAQACR7671aCZLaumaRPJy1dhxE5pr1mf6eaNXpOPv8No E9lnO17aJd1bZNjp+915d+/8TwX3+msCKa6pp0XOhpcHxA8+hFJ7P/+BxhG6+b9Q WQglSVB8g2b3GLI/pDBsifJlwoPfgCxdT4STQ/FcHs6MGzeiNVO11TOlAvSscZUC ncUhypxHSqx548rES54XWpRaIjkndPU65MNFeGuee04wd/DVc0rgU4DC0EiWAOPr fWgFywTcvDbVYHxBEUV6E4cSQDoSKTdMpv9NkRSoCeAXOVMVpdoT1Khba7sLRmaA 1NYzatp8+CsJTqMeTYfv0kIcxk66hsiXrOdN9lCf0hXXMIIC7TCCAdUCAQAwcjE MMAoGA1UEBxMDQkxSMQswCQYDVQQIEwJLQTELMAkGA1UEASSDDWDFFFFWERFERF BhMCSU4xDDAKBgNVBAoTA0FCQzEOMAwGA1UECxMFU0FMRVMxETAPBgNVBAMTCHRl c3QuY29tMRcwFQYJKoZIhvcNAQkCFgh0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKzIftJ23PnQb/waS4VBcW6KUs6ekYkCQNZW3x3RZ6Ci uGNbN7va1sxjrNgZdrUYt98JjrmU60ZKeJnc3VzQjvRP+4+iIutvHAuAHFubtRIp kzz2o4GE99rrH+55sTQsIob7Bdbt6jPonwZw6aSXDvgNMr/s5ceeuqjzlbGVNgPf iykD1z+yD220aqeUxo+A1c0Jt -----END CERTIFICATE REQUEST----- quit ! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ mapping the loaded certficate to interface @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ssl trust-point test.com outside ! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@