cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
13004
Views
5
Helpful
6
Replies

Certificate Signing Request (CSR) guideline

corey.burden
Level 1
Level 1

Hi all,

I'm working on a project to implement IPsec.  We are going to use RSA certificates rather than pre-share keys.  In order to do this, I need to generate a CSR and send the CSR in.  Can someone tell me the steps to generate the CSR and where I can retrieve it once it's generated.  The information I received so far is to:

1. generate an RSA key

2. Create a trust point. 

3.  Enter the command  "Crypto PKI enroll"

Are there any additional steps and how can I view the CSR?

Thanks,

Corey

1 Accepted Solution

Accepted Solutions

Diego Lopez
Level 1
Level 1

Hello,

CLI process "example":

1- generate a 1024 key size:

crypto key generate rsa label my.ca.key modulus 1024

2-Create a trust point:

crypto ca trustpoint CA1
subject-name CN=CiscoASA.cisco.com,OU=TSWEB
keypair my.CA.key
fqdn CiscoASA.cisco.com
enrollment terminal
exit

3- Get the CSR:

once you enter the command "crypto ca enroll" you will be asked if you want to include the device serial number in the subject name, answer no then it will ask if you want to display certificate request to terminal, say yes. That's all you will see the certificate request.

Will be something like this:

crypto ca enroll CA1

% Start certificate enrollment ..
% The subject name in the certificate will be: cn=CiscoASA.cisco.com OU=TSWEB,
O=Cisco Systems, C=US,St=North Carolina,L=Raleigh

% The fully-qualified domain name in the certificate will be: CiscoASA.cisco.com
% Include the device serial number in the subject name? [yes/no]:  no

!--- Do not include the device's serial number in the subject.


Display Certificate Request to terminal? [yes/no]: yes

!--- Displays the PKCS#10 enrollment request to the terminal. You will need to !--- copy this from the terminal to a text file or web text field to submit to !--- the third party CA.

Certificate Request follows:

MIICKzCCAZQCAQAwga0xEDAOBgNVBAcTB1JhbGVpZ2gxFzAVBgNVBAgTDk5vcnRo
IENhcm9saW5hMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEk
MCIGA1UEAxMbQ2lzY29BU0EuY2lzY28uY29tIE9VPVRTV0VCMTUwEgYDVQQFEwtK
TVgwOTM1SzA1NDAfBgkqhkiG9w0BCQIWEkNpc2NvQVNBLmNpc2NvLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuOIKqDMjVrdbZgBzUAjTc10jxSlbkkcr
XgKoH2PcelcGZ9dUXn+Y09Qjm0Krj68L6KXTlPgNAaFMwB2YsTIOn+hJBVq5Sxjv
MI6xLyKrGo7bOPAsLPeOBxl/LVLTy3ORqcyy2QP3Ir1BSwoyBaoFPsReJGSAYG+O
QX8Jp6qcZE0CAwEAAaA9MDsGCSqGSIb3DQEJDjEuMCwwCwYDVR0PBAQDAgWgMB0G
A1UdEQQWMBSCEkNpc2NvQVNBLmNpc2NvLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBM
3tzyAD7o6R5ej9EW7Ej4BfcXd20LCbXAoP5LlKbPaEeaCkfN/Pp5mATAsG832TBm
bsxSvljSSXQsQlSb842D6MEG6cu7Bxj/KlZ6MxafUvCHrOPYWVU1wgRJGh+ndCZK
j89/Y4S8XhQ79fvBWbR8Ux9emhFHpGHnQ/MpSfU0dQ==

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

You can check this link it will explained step by step the process in CLI and ASDM "steps 1 and 2 to get the CSR" :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html

View solution in original post

6 Replies 6

Diego Lopez
Level 1
Level 1

Hello,

CLI process "example":

1- generate a 1024 key size:

crypto key generate rsa label my.ca.key modulus 1024

2-Create a trust point:

crypto ca trustpoint CA1
subject-name CN=CiscoASA.cisco.com,OU=TSWEB
keypair my.CA.key
fqdn CiscoASA.cisco.com
enrollment terminal
exit

3- Get the CSR:

once you enter the command "crypto ca enroll" you will be asked if you want to include the device serial number in the subject name, answer no then it will ask if you want to display certificate request to terminal, say yes. That's all you will see the certificate request.

Will be something like this:

crypto ca enroll CA1

% Start certificate enrollment ..
% The subject name in the certificate will be: cn=CiscoASA.cisco.com OU=TSWEB,
O=Cisco Systems, C=US,St=North Carolina,L=Raleigh

% The fully-qualified domain name in the certificate will be: CiscoASA.cisco.com
% Include the device serial number in the subject name? [yes/no]:  no

!--- Do not include the device's serial number in the subject.


Display Certificate Request to terminal? [yes/no]: yes

!--- Displays the PKCS#10 enrollment request to the terminal. You will need to !--- copy this from the terminal to a text file or web text field to submit to !--- the third party CA.

Certificate Request follows:

MIICKzCCAZQCAQAwga0xEDAOBgNVBAcTB1JhbGVpZ2gxFzAVBgNVBAgTDk5vcnRo
IENhcm9saW5hMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEk
MCIGA1UEAxMbQ2lzY29BU0EuY2lzY28uY29tIE9VPVRTV0VCMTUwEgYDVQQFEwtK
TVgwOTM1SzA1NDAfBgkqhkiG9w0BCQIWEkNpc2NvQVNBLmNpc2NvLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuOIKqDMjVrdbZgBzUAjTc10jxSlbkkcr
XgKoH2PcelcGZ9dUXn+Y09Qjm0Krj68L6KXTlPgNAaFMwB2YsTIOn+hJBVq5Sxjv
MI6xLyKrGo7bOPAsLPeOBxl/LVLTy3ORqcyy2QP3Ir1BSwoyBaoFPsReJGSAYG+O
QX8Jp6qcZE0CAwEAAaA9MDsGCSqGSIb3DQEJDjEuMCwwCwYDVR0PBAQDAgWgMB0G
A1UdEQQWMBSCEkNpc2NvQVNBLmNpc2NvLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBM
3tzyAD7o6R5ej9EW7Ej4BfcXd20LCbXAoP5LlKbPaEeaCkfN/Pp5mATAsG832TBm
bsxSvljSSXQsQlSb842D6MEG6cu7Bxj/KlZ6MxafUvCHrOPYWVU1wgRJGh+ndCZK
j89/Y4S8XhQ79fvBWbR8Ux9emhFHpGHnQ/MpSfU0dQ==

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

You can check this link it will explained step by step the process in CLI and ASDM "steps 1 and 2 to get the CSR" :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html

Like I said is just an "example" on how to do this process on command line but thanks for clarifying.

Thank you for the assistance Diego.  I went through the process.  There were a few things that I hope you can clarify.  

1. The following command did not work for the trustpoint:

  keypair my.CA.key. 

However I did see this command.  Am I correct in assuming that this is what I'm to use?

rsakeypair "my key pair"

2.  The following command also did not work to generate the CSR

   crypto ca enroll CA1

However, I found the following command.  Am I correct in assuming this is what is needed?

crypto pki enroll "my trustpoint name"

I assume both commands were correct as I was able to generate a certificate on the terminal.

Thanks,

Corey

Hello

I assumed it was for an ASA, for the commands it looks like you made the request on a cisco router. The process is the same but like you mentioned the commands are alittle different and they are correct.

The rsakeypair command specifies which key pair to associate with the certificcate.

crypto pki enroll, generates certificate request and displays the request.

Please rate! 

Thanks. 

Great.  Thanks Diego