Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
1
Helpful
4
Replies

Creating CSR for ASA with openssl

james.king14
Level 1
Level 1

‎09-07-2023 09:41 AM

I created a CSR with ASDM and obtained the results and now trying to use OpenSSL to create a CSR with private key.  followed instructions within Cisco, Configure ASA: SSL Digital Certificate Installation and Renewal - Cisco.  Still having issue with creating private key for addition of Certificate.

Labels:
Preview file
2 KB
Preview file
16 KB
0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎09-15-2023 03:36 AM - edited ‎09-15-2023 03:38 AM

I am not entirely sure what your issue is with creating the private key so please give more details on this.  But I will share the steps that I use when doing this and hope it helps you.

Step 1: create configuration file with required SANs

 

admin@MacBook-Pro % cat san.cnf 

[ req ]

default_bits       = 4096

distinguished_name = req_distinguished_name

req_extensions     = req_ext

 

[ req_distinguished_name ]

countryName                 = US

localityName               = Florida

organizationName           = Example LLC

commonName                 = vpn.example.us

 

[ req_ext ]

subjectAltName = @alt_names

[alt_names]

DNS.1   = vpn.example.us

DNS.2   = vpn.example.us

 

 

Step 2: generate CSR

 

admin@MacBook-Pro % openssl req -out vpn.example.us_csr.csr -newkey rsa:4096 -nodes -keyout private.key -config san.cnf

 

Generating a 4096 bit RSA private key

.................................................................................................................................++++

.................................................................................................................++++

writing new private key to 'private.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

NO []:US

Oslo []:Florida

Example AS []:Example LLC

vpn.example.no []:vpn.example.us

 

 

Step 3: Sign CSR or Send CSR to someone who can get it signed

 

Step 4: Retrieve / Receive signed certificate

 

Step 5: combine the public and Private key into a PKCS12 file

admin@MacBook-Pro % openssl pkcs12 -export -out keyStore.p12 -inkey private.key -in cert.pem -certfile ca_cert.crt

 

Step 6: Import Public and Private certificate to network device

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

james.king14
Level 1
Level 1
In response to Marius Gunnerud

‎09-15-2023 04:20 AM

Good Morning



I agree it should not be that hard but getting this error during output



openssl pkcs12 -export -out gd_2024.pfx -inkey privkey.pem -in
SSL_GD2024.csr

Enter pass phrase for privkey.pem:

Could not read any certificates from -in file from SSL_GD2024.csr
0 Helpful

Marius Gunnerud
VIP
VIP
In response to james.king14

‎09-16-2023 05:30 AM

you are trying to combine the CSR with the private key which will not work.  Do you not have the signed certificate?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

james.king14
Level 1
Level 1
In response to Marius Gunnerud

‎09-26-2023 05:29 AM

Marius,

 

Yes I was trying to combine.  But found out the CSR was corrupted and did not meet the requirements.  Had to get new CSR from ASA, this time used SSLSHOPPER to confirm cert hash information.

 

Customers Also Viewed These Support Documents