- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2015 10:57 AM
Hi all,
I'm working on a project to implement IPsec. We are going to use RSA certificates rather than pre-share keys. In order to do this, I need to generate a CSR and send the CSR in. Can someone tell me the steps to generate the CSR and where I can retrieve it once it's generated. The information I received so far is to:
1. generate an RSA key
2. Create a trust point.
3. Enter the command "Crypto PKI enroll"
Are there any additional steps and how can I view the CSR?
Thanks,
Corey
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2015 01:09 PM
Hello,
CLI process "example":
1- generate a 1024 key size:
crypto key generate rsa label my.ca.key modulus 1024
2-Create a trust point:
crypto ca trustpoint CA1
subject-name CN=CiscoASA.cisco.com,OU=TSWEB
keypair my.CA.key
fqdn CiscoASA.cisco.com
enrollment terminal
exit
3- Get the CSR:
once you enter the command "crypto ca enroll" you will be asked if you want to include the device serial number in the subject name, answer no then it will ask if you want to display certificate request to terminal, say yes. That's all you will see the certificate request.
Will be something like this:
crypto ca enroll CA1
% Start certificate enrollment ..
% The subject name in the certificate will be: cn=CiscoASA.cisco.com OU=TSWEB,
O=Cisco Systems, C=US,St=North Carolina,L=Raleigh
% The fully-qualified domain name in the certificate will be: CiscoASA.cisco.com
% Include the device serial number in the subject name? [yes/no]: no
!--- Do not include the device's serial number in the subject.
Display Certificate Request to terminal? [yes/no]: yes
!--- Displays the PKCS#10 enrollment request to the terminal. You will need to !--- copy this from the terminal to a text file or web text field to submit to !--- the third party CA.
Certificate Request follows:
MIICKzCCAZQCAQAwga0xEDAOBgNVBAcTB1JhbGVpZ2gxFzAVBgNVBAgTDk5vcnRo
IENhcm9saW5hMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEk
MCIGA1UEAxMbQ2lzY29BU0EuY2lzY28uY29tIE9VPVRTV0VCMTUwEgYDVQQFEwtK
TVgwOTM1SzA1NDAfBgkqhkiG9w0BCQIWEkNpc2NvQVNBLmNpc2NvLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuOIKqDMjVrdbZgBzUAjTc10jxSlbkkcr
XgKoH2PcelcGZ9dUXn+Y09Qjm0Krj68L6KXTlPgNAaFMwB2YsTIOn+hJBVq5Sxjv
MI6xLyKrGo7bOPAsLPeOBxl/LVLTy3ORqcyy2QP3Ir1BSwoyBaoFPsReJGSAYG+O
QX8Jp6qcZE0CAwEAAaA9MDsGCSqGSIb3DQEJDjEuMCwwCwYDVR0PBAQDAgWgMB0G
A1UdEQQWMBSCEkNpc2NvQVNBLmNpc2NvLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBM
3tzyAD7o6R5ej9EW7Ej4BfcXd20LCbXAoP5LlKbPaEeaCkfN/Pp5mATAsG832TBm
bsxSvljSSXQsQlSb842D6MEG6cu7Bxj/KlZ6MxafUvCHrOPYWVU1wgRJGh+ndCZK
j89/Y4S8XhQ79fvBWbR8Ux9emhFHpGHnQ/MpSfU0dQ==
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
You can check this link it will explained step by step the process in CLI and ASDM "steps 1 and 2 to get the CSR" :
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2015 01:09 PM
Hello,
CLI process "example":
1- generate a 1024 key size:
crypto key generate rsa label my.ca.key modulus 1024
2-Create a trust point:
crypto ca trustpoint CA1
subject-name CN=CiscoASA.cisco.com,OU=TSWEB
keypair my.CA.key
fqdn CiscoASA.cisco.com
enrollment terminal
exit
3- Get the CSR:
once you enter the command "crypto ca enroll" you will be asked if you want to include the device serial number in the subject name, answer no then it will ask if you want to display certificate request to terminal, say yes. That's all you will see the certificate request.
Will be something like this:
crypto ca enroll CA1
% Start certificate enrollment ..
% The subject name in the certificate will be: cn=CiscoASA.cisco.com OU=TSWEB,
O=Cisco Systems, C=US,St=North Carolina,L=Raleigh
% The fully-qualified domain name in the certificate will be: CiscoASA.cisco.com
% Include the device serial number in the subject name? [yes/no]: no
!--- Do not include the device's serial number in the subject.
Display Certificate Request to terminal? [yes/no]: yes
!--- Displays the PKCS#10 enrollment request to the terminal. You will need to !--- copy this from the terminal to a text file or web text field to submit to !--- the third party CA.
Certificate Request follows:
MIICKzCCAZQCAQAwga0xEDAOBgNVBAcTB1JhbGVpZ2gxFzAVBgNVBAgTDk5vcnRo
IENhcm9saW5hMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEk
MCIGA1UEAxMbQ2lzY29BU0EuY2lzY28uY29tIE9VPVRTV0VCMTUwEgYDVQQFEwtK
TVgwOTM1SzA1NDAfBgkqhkiG9w0BCQIWEkNpc2NvQVNBLmNpc2NvLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuOIKqDMjVrdbZgBzUAjTc10jxSlbkkcr
XgKoH2PcelcGZ9dUXn+Y09Qjm0Krj68L6KXTlPgNAaFMwB2YsTIOn+hJBVq5Sxjv
MI6xLyKrGo7bOPAsLPeOBxl/LVLTy3ORqcyy2QP3Ir1BSwoyBaoFPsReJGSAYG+O
QX8Jp6qcZE0CAwEAAaA9MDsGCSqGSIb3DQEJDjEuMCwwCwYDVR0PBAQDAgWgMB0G
A1UdEQQWMBSCEkNpc2NvQVNBLmNpc2NvLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBM
3tzyAD7o6R5ej9EW7Ej4BfcXd20LCbXAoP5LlKbPaEeaCkfN/Pp5mATAsG832TBm
bsxSvljSSXQsQlSb842D6MEG6cu7Bxj/KlZ6MxafUvCHrOPYWVU1wgRJGh+ndCZK
j89/Y4S8XhQ79fvBWbR8Ux9emhFHpGHnQ/MpSfU0dQ==
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
You can check this link it will explained step by step the process in CLI and ASDM "steps 1 and 2 to get the CSR" :
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2015 01:58 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-30-2015 03:12 PM
Like I said is just an "example" on how to do this process on command line but thanks for clarifying.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-31-2015 05:56 AM
Thank you for the assistance Diego. I went through the process. There were a few things that I hope you can clarify.
1. The following command did not work for the trustpoint:
keypair my.CA.key.
However I did see this command. Am I correct in assuming that this is what I'm to use?
rsakeypair "my key pair"
2. The following command also did not work to generate the CSR
crypto ca enroll CA1
However, I found the following command. Am I correct in assuming this is what is needed?
crypto pki enroll "my trustpoint name"
I assume both commands were correct as I was able to generate a certificate on the terminal.
Thanks,
Corey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-02-2016 07:55 AM
Hello
I assumed it was for an ASA, for the commands it looks like you made the request on a cisco router. The process is the same but like you mentioned the commands are alittle different and they are correct.
The rsakeypair command specifies which key pair to associate with the certificcate.
crypto pki enroll, generates certificate request and displays the request.
Please rate!
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2016 06:50 AM
Great. Thanks Diego
