bg-tutorials

How to Generate a CSR on Cisco ASA 5500 Series

This tutorial covers two ways to generate a CSR (Certificate Signing Request) on a Cisco ASA appliance: through the ASDM graphical interface and through the CLI. Both methods create an RSA key pair and a CSR that you submit to your Certificate Authority (CA) during the SSL order process.

Although the original ASA 5500 hardware has reached end-of-life, the same ASA software (and therefore the same CSR procedure) runs on current Cisco platforms, including the Firepower 1000, 2100, 4100, 9300 series, and the ASAv virtual appliance. The steps below apply to all of them.

Generate a CSR via ASDM (GUI)

If you have already generated your CSR, you can skip ahead to the Cisco ASA SSL installation instructions.

You can also use our CSR Generator to create the CSR automatically, or follow the ASDM steps below.

Step 1: Open the Identity Certificates panel

Log in to your Cisco Adaptive Security Device Manager (ASDM). Navigate to Configuration > Device Management (in some ASDM versions this appears under Remote Access VPN instead). Expand the Certificate Management tree and select Identity Certificates. Click Add.

Step 2: Create a key pair

In the Add Identity Certificate window, type a name in the Trustpoint Name field (for example, mysite_cert). Select the Add a new identity certificate radio button and click New next to Key Pair.

In the Add Key Pair dialog:

  • Select Enter new key pair name and type a descriptive name.
  • Set Key Size to 2048. The ASA does not support 4096-bit keys for SSL server authentication (Cisco bug CSCut53512), so 2048 is the recommended value.
  • For Usage, choose General Purpose (required for RSA).

Click Generate Now. The appliance creates the key pair and returns you to the Add Identity Certificate window.

Step 3: Fill in the Certificate Subject DN

Next to Certificate Subject DN, click Select. In the dialog that opens, select each attribute from the drop-down list, enter the value, and click Add:

  • CN (Common Name): the fully qualified domain name the appliance will serve, for example vpn.yoursite.com.
  • O (Organization): your organization’s legal name, for example GPI Holding LLC.
  • L (Locality): the city where your organization is registered, for example San Jose.
  • ST (State): the state or province, for example California.
  • C (Country): the two-letter ISO country code, for example US.

You can skip OU (Organizational Unit). CAs no longer include this field in issued certificates.

Review the entries and click OK.

Step 4: Set the FQDN in the Advanced options

Back in the Add Identity Certificate window, click Advanced. In the FQDN field, type the same fully qualified domain name you entered for CN in the previous step (for example, vpn.yoursite.com). This value is placed in the Subject Alternative Name (SAN) extension of the CSR. Click OK.

Step 5: Generate and save the CSR

Click Add Certificate. ASDM prompts you to save the CSR to a text file. Choose a filename and location, then save.

Open the saved file in a text editor and verify that it begins with -----BEGIN CERTIFICATE REQUEST----- and ends with -----END CERTIFICATE REQUEST-----. You will paste the entire block (including those tags) into your CA’s order form.

To double-check the contents before you submit, paste the CSR into the SSL Dragon CSR decoder.

Generate a CSR via CLI

If you prefer the command line, connect to the ASA over SSH or the console and follow the steps below.

Step 1: Create the RSA key pair

Enter privileged EXEC mode, then enter configuration mode and generate a 2048-bit RSA key pair with a descriptive label:

configure terminal
crypto key generate rsa label mysite_key modulus 2048

The ASA confirms the key pair was generated. Do not use 4096, because the ASA does not support 4096-bit keys for SSL server authentication.

Step 2: Configure the trustpoint

Create a trustpoint and enter its sub-configuration mode. Assign the key pair, set the subject name, the FQDN, and choose terminal enrollment (manual cut-and-paste). Then exit back to global configuration mode:

crypto ca trustpoint mysite_cert
enrollment terminal
subject-name CN=vpn.yoursite.com,O=GPI Holding LLC,L=San Jose,ST=California,C=US
keypair mysite_key
fqdn vpn.yoursite.com
exit

Replace the subject-name values and FQDN with your own organization’s details. The CN must match the domain or hostname the appliance will serve.

Step 3: Generate the CSR

Run the enrollment command to produce the CSR:

crypto ca enroll mysite_cert

The ASA asks two interactive questions. When prompted to include the device serial number in the subject name, answer no. When prompted to display the certificate request to the terminal, answer yes.

The ASA then displays the CSR on the terminal. Copy everything from -----BEGIN CERTIFICATE REQUEST----- through -----END CERTIFICATE REQUEST----- (inclusive) and paste it into a text file.

You can verify the CSR contents with the SSL Dragon CSR decoder before submitting it to your CA.

Next steps

Submit the CSR to your Certificate Authority during the SSL order process. After the CA validates the request and issues the certificate, proceed to the Cisco ASA SSL installation guide to import the signed certificate and activate HTTPS on the appliance.

To confirm everything is working after installation, run a scan with the SSL Checker.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.