cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
962
Views
30
Helpful
8
Replies

Do i need a root certificate to generate a CSR?

faghouri83
Level 1
Level 1

Hi all

 

I'm migrating a config over to a new firewall. I noticed the the ca certificate expires in 2022. However when i go into the identity certificates section on the asdm, the certificate has expired. 

 

My question is, to get a new certificate, do i need a root certificate to generate a CSR file? or do i just generate a CSR file and then send this to the someone like verisign or godaddy? Would i need the verisign/godaddy root certificate to generate the CSR file properly? 

 

 

Thanks

 

8 Replies 8

Dennis Mink
VIP Alumni
VIP Alumni

It depends, if you use your certs only internally you could decide to use local certs. If you FW has any public functions and needs SSL across the internet then yes, create a CSR and have it signed by the likes of rapid SSL.

Please remember to rate useful posts, by clicking on the stars below.

GioGonza
Level 4
Level 4

Hello @faghouri83

 

The answer to your question is NO, you need to generate the CSR on the ASA and for that you don´t need the Root certificate, basically it doesn´t matter if you are doing Local CA on a Windows machine or you are going to send the CSR to a third party vendor (GoDaddy, Verisign, etc), you don´t need the Root cert to generate the CSR. 

 

The root will come within the certificate chain once you have the CSR signed. 

 

HTH

Gio

Thanks

 

My colleague was telling me that i need an intermediary and primary cert to generate the CSR. He is going off the guides below: 

 

https://chrisquast.wordpress.com/2014/01/13/cisco-asa-godaddy-ssl-certificate/

 

and 

 

https://www.digicert.com/ssl-certificate-installation-cisco-asa-5500.htm

Yes sort of. :)

 

Actually you can follow this guideline to perform the generation of the CSR and the installation after: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

 

HTH

Gio

It's a best practice to include any intermediate certificate(s) with your ASA installation so that your clients are presented with a full certificate chain when using the SSL VPN (or other things that use the device's certificate like ASDM). Almost all clients won't need the root since they should already trust well-known root certificates but including it won't hurt anything (and will account for the small percentage that might not already trust it). The guides you linked are telling you to use them for that reason.

 

That's totally separate from what you need to create a Certificate Signing Request (CSR). All a CSR needs is an existing private key with which to sign the request. That applies no matter what Certificate Authority (CA) is used.

Thank you all for replying. You guys are awesome!

Guys im about to generate a CSR and i have a quick question.

 

in the certificate subject DN box i enter the CN as the FULL public  URL that is used to get to the firewall for vpn purposes.

 

However there us a button below on the right hand side which says advaned. If i click on that it then displays an FQDN. However this fqdn starts with the hostname of the firewall and then the domain. Should this fqdn be changed to the full public URL or should I just leave this?

 

 

Thanks

 

 

You can leave it alone. It is optionally used when you desire a Subject Alternative Name (SAN).

 

For instance, VPN users may use the FQDN vpn.mycompany.com while ASDM users may use hq-fw-1.mycompany.com to access the same device. Having a SAN allows you to use one certificate for both.

 

Whether or not the certificate is issued with a SAN depends on the issuer's template used. With public CAs they may charge a bit more to issue with a SAN although some offer it at no charge.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: