Showing results for 
Search instead for 
Did you mean: 

3rd Party SSL cert on asa



Has anyone put a 3rd party (e.g. Verisign) SSL cert on an ASA for WebVPN? I am having trouble finding documentation describing how i generate the certificate request and specify the info like compnay name, city etc... for the request. Please could someone point me in the correct direction?





I think the following link will help you in sending a SSL certificate request.


You problaby already did this, but I'll post it in case anyone else need this info.

RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:

crypto key generate rsa

Then define the trustpoint:

crypto ca trustpoint Verisign

crl optional

enrollment terminal


Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):

crypto ca authenticate Verisign

---BEGIN--- or ---END--- lines do not matter>


INFO: Certificate has the following attributes:

Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

Generate the CSR:

crypto ca enroll Verisign

% Start certificate enrollment ..

% The subject name in the certificate will be: xxxx

% The fully-qualified domain name in the certificate will be:

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:



---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.

After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:

crypto ca import Verisign certificate

% The fully-qualified domain name in the certificate will be:

Enter the base 64 encoded certificate.

End with the word "quit" on a line by itself







INFO: Certificate successfully imported

Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:

ssl trust-point [interface]


I can see you said "Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)): ". What does this mean?

For example I want to apply for a certificate from Verisign, so which CA cert should I import? Where can I get that?

I tried to export a Root class3 from IE, and download one from verisign website, they all do not work.

Thank you.


You should be able to download the certs from Verisign, if you're not sure which one to pick just ask Verisign.

Thank you, R.Vdoever. it works now on my case.


Hi Ed, I'm installing now also WebVPN with a certificate from Thawte. Can you please send me a config example how you did that?

Thanks and regars


Hi, Lukas,

I think the point is the CA certificate. You'd better to ask Thawte about which one is used for your certificate Thawte gave you.

Other steps are easy:

generate key pair -> add a trustpoint -> configure your trustpoint including editing your informatioin -> enroll your trustpoint -> then email your certificate request to Thawte to get your certificate -> get your certificate and then import it into ASA -> [authenticate your trustpoint using CA certificate as I told you above], actually this step can be done before the enrollment, I think -> Finanlly you will see your trustpoint has two "subject", also your ASA will have two certificate in "certificate mgmt", one is for your ASA, the other is for your CA(Thawte).

Oh, do not forget to configure ASA outside interface to use this trustpoint under "ssl".

Wish this can help you.


Please look back in this thread, I described the procedure in an earlier message


Please look at my earlier message in this thread.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: