https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3313810#M1064621 <P>You can leave it alone. It is optionally used when you desire a Subject Alternative Name (SAN).</P> <P>&nbsp;</P> <P>For instance, VPN users may use the FQDN vpn.mycompany.com while ASDM users may use hq-fw-1.mycompany.com to access the same device. Having a SAN allows you to use one certificate for both.</P> <P>&nbsp;</P> <P>Whether or not the certificate is issued with a SAN depends on the issuer's template used. With public CAs they may charge a bit more to issue with a SAN although some offer it at no charge.</P> Thu, 18 Jan 2018 15:21:40 GMT Marvin Rhoads 2018-01-18T15:21:40Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312718#M1064613 <P>Hi all</P> <P>&nbsp;</P> <P>I'm migrating a config over to a new firewall. I noticed the the ca certificate expires in 2022. However when i go into the identity certificates section on the asdm, the certificate has expired.&nbsp;</P> <P>&nbsp;</P> <P>My question is, to get a new certificate, do i need a root certificate to generate a CSR file? or do i just generate a CSR file and then send this to the someone like verisign or godaddy? Would i need the verisign/godaddy root certificate to generate the CSR file properly?&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:09:23 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312718#M1064613 faghouri83 2020-02-21T15:09:23Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312733#M1064614 <P>It depends, if you use your certs only internally you could decide to use local certs. If you FW has any public functions and needs SSL across the internet then yes, create a CSR and have it signed by the likes of rapid SSL.</P> Wed, 17 Jan 2018 11:14:46 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312733#M1064614 Dennis Mink 2018-01-17T11:14:46Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312815#M1064615 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/295073">@faghouri83</a>,&nbsp;</P> <P>&nbsp;</P> <P>The answer to your question is NO, you need to generate the CSR on the ASA and for that you don´t need the Root certificate, basically it doesn´t matter if you are doing Local CA on a Windows machine or you are going to send the CSR to a third party vendor (GoDaddy, Verisign, etc), you don´t need the Root cert to generate the CSR.&nbsp;</P> <P>&nbsp;</P> <P>The root will come within the certificate chain once you have the CSR signed.&nbsp;</P> <P>&nbsp;</P> <P>HTH</P> <P>Gio</P> Wed, 17 Jan 2018 13:25:39 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312815#M1064615 GioGonza 2018-01-17T13:25:39Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312822#M1064616 <P>Thanks</P> <P>&nbsp;</P> <P>My colleague was telling me that i need an intermediary and primary cert to generate the CSR. He is going off the guides below:&nbsp;</P> <P>&nbsp;</P> <P><A href="https://chrisquast.wordpress.com/2014/01/13/cisco-asa-godaddy-ssl-certificate/" target="_blank">https://chrisquast.wordpress.com/2014/01/13/cisco-asa-godaddy-ssl-certificate/</A></P> <P>&nbsp;</P> <P>and&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.digicert.com/ssl-certificate-installation-cisco-asa-5500.htm" target="_blank">https://www.digicert.com/ssl-certificate-installation-cisco-asa-5500.htm</A></P> Wed, 17 Jan 2018 13:32:58 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312822#M1064616 faghouri83 2018-01-17T13:32:58Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312851#M1064617 <P>Yes sort of. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Actually you can follow this guideline to perform the generation of the CSR and the installation after:&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html</A></P> <P>&nbsp;</P> <P>HTH</P> <P>Gio</P> Wed, 17 Jan 2018 13:58:29 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312851#M1064617 GioGonza 2018-01-17T13:58:29Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312864#M1064618 <P>It's a best practice to include any intermediate certificate(s) with your ASA installation so that your clients are presented with a full certificate chain when using the SSL VPN (or other things that use the device's certificate like ASDM). Almost all clients won't need the root since they should already trust well-known root certificates but including it won't hurt anything (and will account for the small percentage that might not already trust it). The guides you linked are telling you to use them for that reason.</P> <P>&nbsp;</P> <P>That's totally separate from what you need to create a Certificate Signing Request (CSR). All a CSR needs is an existing private key with which to sign the request. That applies no matter what Certificate Authority (CA) is used.</P> Wed, 17 Jan 2018 14:06:11 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3312864#M1064618 Marvin Rhoads 2018-01-17T14:06:11Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3313060#M1064619 <P>Thank you all for replying. You guys are awesome!</P> Wed, 17 Jan 2018 17:23:51 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3313060#M1064619 faghouri83 2018-01-17T17:23:51Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3313647#M1064620 <P>Guys im about to generate a CSR and i have a quick question.</P> <P>&nbsp;</P> <P>in the certificate subject DN box i enter the CN as the FULL public &nbsp;URL that is used to get to the firewall for vpn purposes.</P> <P>&nbsp;</P> <P>However there us a button below on the right hand side which says advaned. If i click on that it then displays an FQDN. However this fqdn starts with the hostname of the firewall and then the domain. Should this fqdn be changed to the full public URL or should I just leave this?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 18 Jan 2018 12:53:02 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3313647#M1064620 faghouri83 2018-01-18T12:53:02Z https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3313810#M1064621 <P>You can leave it alone. It is optionally used when you desire a Subject Alternative Name (SAN).</P> <P>&nbsp;</P> <P>For instance, VPN users may use the FQDN vpn.mycompany.com while ASDM users may use hq-fw-1.mycompany.com to access the same device. Having a SAN allows you to use one certificate for both.</P> <P>&nbsp;</P> <P>Whether or not the certificate is issued with a SAN depends on the issuer's template used. With public CAs they may charge a bit more to issue with a SAN although some offer it at no charge.</P> Thu, 18 Jan 2018 15:21:40 GMT https://community.cisco.com/t5/network-security/do-i-need-a-root-certificate-to-generate-a-csr/m-p/3313810#M1064621 Marvin Rhoads 2018-01-18T15:21:40Z