Accepted Solutions
An SSL certificate on an ASA firewall is most commonly used for one of two things:
- ASDM access (which uses https / ssl as its transport)
- Remote access SSL VPN using AnyConnect Essentials or Premium (aka clientless).
There are some other uses but those cover probably 90%+ of the ASAs I've seen.
In any case, if you have management access enabled on your public-facing interface or a working SSL VPN you will have a certificate. Even if you don't have a persistent one, the ASA will generate one dynamically whenever it boots up so that you can at least use ASDM to manage it.
It's not too hard to recreate a self-signed one using a 2048-bit RSA key. The important bit is to first generate a new key and specify the key length as 2048 bits. That key is used to sign a self-signed certificate. You can do it all via ASDM as shown in the screenshot below. The commands for cli are:
crypto key generate rsa label <Default-RSA-Key> modulus 2048 noconfirm
crypto ca trustpoint ASDM_TrustPoint0
revocation-check none
id-usage ssl-ipsec
no fqdn
subject-name CN=myFirewall
enrollment self
crypto ca enroll ASDM_TrustPoint0 noconfirm
You can opt to name the key and trustpoint to something more illustrative for your purposes.
(If you should happen to be using a certificate issued by a 3rd party certificate authority (CA) like entrust, GoDaddy, Verisign etc. you'd need to get a new one. That's unlikely though since most public CAs have only been offering 2048-bit SSL certificates for several years now.)
An SSL certificate on an ASA firewall is most commonly used for one of two things:
- ASDM access (which uses https / ssl as its transport)
- Remote access SSL VPN using AnyConnect Essentials or Premium (aka clientless).
There are some other uses but those cover probably 90%+ of the ASAs I've seen.
In any case, if you have management access enabled on your public-facing interface or a working SSL VPN you will have a certificate. Even if you don't have a persistent one, the ASA will generate one dynamically whenever it boots up so that you can at least use ASDM to manage it.
It's not too hard to recreate a self-signed one using a 2048-bit RSA key. The important bit is to first generate a new key and specify the key length as 2048 bits. That key is used to sign a self-signed certificate. You can do it all via ASDM as shown in the screenshot below. The commands for cli are:
crypto key generate rsa label <Default-RSA-Key> modulus 2048 noconfirm
crypto ca trustpoint ASDM_TrustPoint0
revocation-check none
id-usage ssl-ipsec
no fqdn
subject-name CN=myFirewall
enrollment self
crypto ca enroll ASDM_TrustPoint0 noconfirm
You can opt to name the key and trustpoint to something more illustrative for your purposes.
(If you should happen to be using a certificate issued by a 3rd party certificate authority (CA) like entrust, GoDaddy, Verisign etc. you'd need to get a new one. That's unlikely though since most public CAs have only been offering 2048-bit SSL certificates for several years now.)
