Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
7
Helpful
9
Replies

3rd Party SSL cert on asa

pcresswell
Level 1
Level 1

‎01-08-2006 01:21 PM - edited ‎02-21-2020 12:37 AM

Hi,

Has anyone put a 3rd party (e.g. Verisign) SSL cert on an ASA for WebVPN? I am having trouble finding documentation describing how i generate the certificate request and specify the info like compnay name, city etc... for the request. Please could someone point me in the correct direction?

Thanks,

Peter

0 Helpful
9 Replies 9

r-simpson
Level 3
Level 3

‎01-12-2006 08:41 AM

I think the following link will help you in sending a SSL certificate request.

http://www.cisco.com/en/US/products/sw/netmgtsw/ps533/products_user_guide_chapter09186a008019e1ec.html#1006850

0 Helpful

r.vdoever
Level 1
Level 1

‎05-05-2006 01:37 PM

You problaby already did this, but I'll post it in case anyone else need this info.

RSA-keys are probably already generated (also needed for ssh-access), but if you ever need to reissue the cert, regenerate the rsa keys, otherwise the CSR will be exactly the same and not accepted by the 3rd party CA:

crypto key generate rsa

Then define the trustpoint:

crypto ca trustpoint Verisign

crl optional

enrollment terminal

subject-name CN=host.domain.com,OU=Unit,O=Organisation,C=NL,St=xxx,L=xxx,EA=postmaster@domain.com

Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)):

crypto ca authenticate Verisign

---BEGIN--- or ---END--- lines do not matter>

quit

INFO: Certificate has the following attributes:

Fingerprint: 069f6979 16669002 1b8c8ca2 c3076f3a

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

Generate the CSR:

crypto ca enroll Verisign

% Start certificate enrollment ..

% The subject name in the certificate will be: xxxx

% The fully-qualified domain name in the certificate will be: hostname.domain.com

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

MIICNjCCAZ8CAQAwgbwxJTAjBgkqhkiG9w0BCQEWFnNlcnZpY2VkZXNrQGR5bm9t

aWMubmwxEjAQBgNVBAcTCUJpbHRob3ZlbjEQMA4GA1UECBMHVXRyZWNodDELMAkG

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

Notice this is generate without ---BEGIN--- and ---END--- lines which you do need to add when submitting the form to the 3rd party CA.

After succesful verification by the CA you'll be returned a certificate which you can import with or without the ---BEGIN--- and ---END---- lines, so you might as well just copy the complete text:

crypto ca import Verisign certificate

% The fully-qualified domain name in the certificate will be: xxx.domain.com

Enter the base 64 encoded certificate.

End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIIDcTCCAtqgAwIBAgIQIHOwJ7acK6Fmibyhf67HlDANBgkqhkiG9w0BAQUFADC

MXN/DqZw504SdlIkm3K4Dt7kSa5NILlncBiPhJJPJRjcOk6wRB6vuGG85uz6twR

nq4BqbMitzpgxvK12hgS9ZDy62kC

-----END CERTIFICATE-----

quit

INFO: Certificate successfully imported

Make sure you activitate the trustpoint either as for use on all interfaces or on a specific interface using:

ssl trust-point thawte.com [interface]

litouch
Level 1
Level 1
In response to r.vdoever

‎07-17-2006 10:59 PM

HI,

I can see you said "Import root CA cert (make sure you have the correct one, preferably without intermediate CA (RA)): ". What does this mean?

For example I want to apply for a certificate from Verisign, so which CA cert should I import? Where can I get that?

I tried to export a Root class3 from IE, and download one from verisign website, they all do not work.

Thank you.

Ed

0 Helpful

r.vdoever
Level 1
Level 1
In response to litouch

‎07-17-2006 11:38 PM

You should be able to download the certs from Verisign, if you're not sure which one to pick just ask Verisign.

0 Helpful

litouch
Level 1
Level 1
In response to r.vdoever

‎08-04-2006 04:54 PM

Thank you, R.Vdoever. it works now on my case.

Ed

0 Helpful

lus
Level 1
Level 1
In response to litouch

‎08-14-2006 12:19 AM

Hi Ed, I'm installing now also WebVPN with a certificate from Thawte. Can you please send me a config example how you did that?

Thanks and regars

Lukas

0 Helpful

litouch
Level 1
Level 1
In response to lus

‎08-14-2006 02:47 AM

Hi, Lukas,

I think the point is the CA certificate. You'd better to ask Thawte about which one is used for your certificate Thawte gave you.

Other steps are easy:

generate key pair -> add a trustpoint -> configure your trustpoint including editing your informatioin -> enroll your trustpoint -> then email your certificate request to Thawte to get your certificate -> get your certificate and then import it into ASA -> [authenticate your trustpoint using CA certificate as I told you above], actually this step can be done before the enrollment, I think -> Finanlly you will see your trustpoint has two "subject", also your ASA will have two certificate in "certificate mgmt", one is for your ASA, the other is for your CA(Thawte).

Oh, do not forget to configure ASA outside interface to use this trustpoint under "ssl".

Wish this can help you.

Ed

0 Helpful

r.vdoever
Level 1
Level 1
In response to lus

‎08-18-2006 03:41 AM

Please look back in this thread, I described the procedure in an earlier message

0 Helpful

r.vdoever
Level 1
Level 1

‎08-18-2006 03:50 AM

Please look at my earlier message in this thread.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card