09-07-2023 09:41 AM
I created a CSR with ASDM and obtained the results and now trying to use OpenSSL to create a CSR with private key. followed instructions within Cisco, Configure ASA: SSL Digital Certificate Installation and Renewal - Cisco. Still having issue with creating private key for addition of Certificate.
09-15-2023 03:36 AM - edited 09-15-2023 03:38 AM
I am not entirely sure what your issue is with creating the private key so please give more details on this. But I will share the steps that I use when doing this and hope it helps you.
Step 1: create configuration file with required SANs
admin@MacBook-Pro % cat san.cnf
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = US
localityName = Florida
organizationName = Example LLC
commonName = vpn.example.us
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = vpn.example.us
DNS.2 = vpn.example.us
Step 2: generate CSR
admin@MacBook-Pro % openssl req -out vpn.example.us_csr.csr -newkey rsa:4096 -nodes -keyout private.key -config san.cnf
Generating a 4096 bit RSA private key
.................................................................................................................................++++
.................................................................................................................++++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
NO []:US
Oslo []:Florida
Example AS []:Example LLC
vpn.example.no []:vpn.example.us
Step 3: Sign CSR or Send CSR to someone who can get it signed
Step 4: Retrieve / Receive signed certificate
Step 5: combine the public and Private key into a PKCS12 file
admin@MacBook-Pro % openssl pkcs12 -export -out keyStore.p12 -inkey private.key -in cert.pem -certfile ca_cert.crt
Step 6: Import Public and Private certificate to network device
09-15-2023 04:20 AM
09-16-2023 05:30 AM
you are trying to combine the CSR with the private key which will not work. Do you not have the signed certificate?
09-26-2023 05:29 AM
Marius,
Yes I was trying to combine. But found out the CSR was corrupted and did not meet the requirements. Had to get new CSR from ASA, this time used SSLSHOPPER to confirm cert hash information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide