Do i need a root certificate to generate a CSR?

faghouri83 · ‎01-17-2018

Hi all

I'm migrating a config over to a new firewall. I noticed the the ca certificate expires in 2022. However when i go into the identity certificates section on the asdm, the certificate has expired.

My question is, to get a new certificate, do i need a root certificate to generate a CSR file? or do i just generate a CSR file and then send this to the someone like verisign or godaddy? Would i need the verisign/godaddy root certificate to generate the CSR file properly?

Thanks

Dennis Mink · ‎01-17-2018

It depends, if you use your certs only internally you could decide to use local certs. If you FW has any public functions and needs SSL across the internet then yes, create a CSR and have it signed by the likes of rapid SSL.

Please remember to rate useful posts, by clicking on the stars below.

GioGonza · ‎01-17-2018

Hello @faghouri83,

The answer to your question is NO, you need to generate the CSR on the ASA and for that you don´t need the Root certificate, basically it doesn´t matter if you are doing Local CA on a Windows machine or you are going to send the CSR to a third party vendor (GoDaddy, Verisign, etc), you don´t need the Root cert to generate the CSR.

The root will come within the certificate chain once you have the CSR signed.

HTH

Gio

faghouri83 · ‎01-17-2018

Thanks

My colleague was telling me that i need an intermediary and primary cert to generate the CSR. He is going off the guides below:

https://chrisquast.wordpress.com/2014/01/13/cisco-asa-godaddy-ssl-certificate/

and

https://www.digicert.com/ssl-certificate-installation-cisco-asa-5500.htm

GioGonza · ‎01-17-2018

Yes sort of. :)

Actually you can follow this guideline to perform the generation of the CSR and the installation after: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html

HTH

Gio

Marvin Rhoads · ‎01-17-2018

It's a best practice to include any intermediate certificate(s) with your ASA installation so that your clients are presented with a full certificate chain when using the SSL VPN (or other things that use the device's certificate like ASDM). Almost all clients won't need the root since they should already trust well-known root certificates but including it won't hurt anything (and will account for the small percentage that might not already trust it). The guides you linked are telling you to use them for that reason.

That's totally separate from what you need to create a Certificate Signing Request (CSR). All a CSR needs is an existing private key with which to sign the request. That applies no matter what Certificate Authority (CA) is used.

faghouri83 · ‎01-17-2018

Thank you all for replying. You guys are awesome!

faghouri83 · ‎01-18-2018

Guys im about to generate a CSR and i have a quick question.

in the certificate subject DN box i enter the CN as the FULL public URL that is used to get to the firewall for vpn purposes.

However there us a button below on the right hand side which says advaned. If i click on that it then displays an FQDN. However this fqdn starts with the hostname of the firewall and then the domain. Should this fqdn be changed to the full public URL or should I just leave this?

Thanks

Marvin Rhoads · ‎01-18-2018

You can leave it alone. It is optionally used when you desire a Subject Alternative Name (SAN).

For instance, VPN users may use the FQDN vpn.mycompany.com while ASDM users may use hq-fw-1.mycompany.com to access the same device. Having a SAN allows you to use one certificate for both.

Whether or not the certificate is issued with a SAN depends on the issuer's template used. With public CAs they may charge a bit more to issue with a SAN although some offer it at no charge.