bg-tutorials

How to Install an SSL Certificate on Cisco ASA 5500 series

This guide shows you how to install an SSL/TLS certificate on a Cisco ASA 5500 series firewall, both through ASDM and from the CLI. The same procedure secures the ASDM/HTTPS admin interface and the AnyConnect SSL VPN (WebVPN) portal on every ASA running modern software, so you can use whichever path matches your environment.

A note on Cisco ASA 5500 hardware status (2026)

Before you install, confirm whether your appliance is still supported by Cisco. The 5500 family covers two hardware generations and both are well into their end-of-life cycle:

  • Classic ASA 5500 (5505, 5510, 5520, 5540, 5550): all past Cisco’s Last Day of Support. The 5510, 5520, 5540 and 5550 ended sale on September 16, 2013 and reached their Last Day of Support on September 30, 2018; the 5505 reached End of Sale on August 25, 2017 and its Last Day of Support was August 31, 2022. No new ASA software is shipped for these models.
  • ASA 5500-X (5506-X, 5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X, 5585-X): the 5512-X and 5515-X reached their Last Day of Support on August 31, 2022; the 5585-X on May 31, 2023; the 5525-X, 5545-X and 5555-X on September 30, 2025. The 5506-X, 5508-X and 5516-X reach their Last Day of Support on August 31, 2026.
  • Successor platform: Cisco’s current replacement is the Cisco Secure Firewall family (formerly Firepower / FTD), typically the Secure Firewall 1000, 3100 and 4200 series.

You can still install and renew a public TLS certificate on an ASA you already own, and the steps below work on any ASA running 9.x software. Just plan a migration if your unit is past Last Day of Support: Cisco will not issue further PSIRT advisories or software patches for it.

Generate the CSR on Cisco ASA 5500

If you have already generated your CSR and received your certificate files, skip ahead to the installation section.

A CSR (Certificate Signing Request) is a block of encoded text that contains your contact details and your public key. The Certificate Authority uses it to verify your identity and to sign the issued certificate. You have two options:

  • Generate the CSR off-box with our CSR Generator. The private key is created outside the ASA, so the CA will return a certificate that you later combine with the key into a .pfx / .p12 file and import into the ASA.
  • Generate the CSR on the appliance itself by following our tutorial on how to generate a CSR on Cisco ASA 5500. The private key stays on the ASA, and the CA returns a signed identity certificate that you finish installing with crypto ca import certificate.

Install an SSL certificate on Cisco ASA 5500

You can install the certificate either through ASDM (the GUI) or from the CLI. Use ASDM if you generated the CSR off-box and have a .pfx / .p12 bundle, or if you simply prefer the GUI. Use the CLI when you generated the CSR on the ASA and the CA returned plain PEM .crt files, or when you automate deployments.

Step 1: Prepare your certificate files

The CA delivers either a ZIP archive containing the primary (server / identity) certificate plus one or more intermediate certificates, or a single PKCS#12 bundle (.pfx / .p12) that already wraps the private key, identity certificate and chain together. Save the files somewhere you can browse to from the ASDM client, or paste their contents into a CLI session.

If you have separate PEM files, open each in a plain-text editor (Notepad, TextEdit, VS Code) and confirm that the contents start with —–BEGIN CERTIFICATE—– and end with —–END CERTIFICATE—–, with no extra characters before or after. If your CA ships two intermediates, keep them in separate files so you can install each one individually.

Option A: Install via ASDM

Step 2A: Install the intermediate certificate(s)

  • Log into ASDM and go to Configuration > Device Management.
  • Expand Certificate Management and click CA Certificates.
  • Click Add, give the CA a trustpoint name (for example my.ca.trustpoint), then either click Install from a file and browse to the intermediate .crt, or select Paste certificate in PEM format and paste the file contents.
  • Click Install Certificate. Repeat for any additional intermediate.

Step 3A: Install the identity (primary) certificate

The flow depends on where the CSR was generated:

  • CSR generated on this ASA. Go to Configuration > Device Management > Certificate Management > Identity Certificates. Select the pending entry (it shows the trustpoint you created when you generated the CSR) and click Install. Browse to the issued .crt file or paste the PEM contents, then click Install Certificate.
  • CSR generated off-box (you have a .pfx / .p12 file). On the same Identity Certificates panel, click Add, choose Import the identity certificate from a file, browse to your .pfx or .p12 bundle, enter the export password, and click Add Certificate. ASDM creates the trustpoint and imports the private key, identity certificate and chain in one operation.

Step 4A: Bind the certificate to an interface

Installing the certificate does not activate it. The ASA still serves its self-signed certificate until you bind your new trustpoint to a specific interface:

  • Go to Configuration > Device Management > Advanced > SSL Settings.
  • In the Certificates table, select the interface that terminates ASDM / HTTPS or AnyConnect sessions (usually outside) and click Edit.
  • From the Primary Enrolled Certificate drop-down, choose the trustpoint you just installed, click OK, then Apply.
  • Click Save (the floppy-disk icon) to write the running config to startup.

Reload the ASDM URL in your browser. The padlock should now show your CA-issued certificate.

Option B: Install via the CLI

From SSH or the console, enter privileged EXEC and configuration mode, then create a trustpoint and install the certificate. Replace my.ca.trustpoint with any label you want, and use your real subject name and key-pair name.

Step 2B: Install the CA chain

enable
configure terminal

crypto ca trustpoint my.ca.trustpoint
 enrollment terminal
 exit

crypto ca authenticate my.ca.trustpoint

The ASA prompts you to paste the intermediate CA certificate in PEM format. Paste everything including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, then type quit on its own line and press Enter. Confirm yes when asked to accept the certificate. Repeat for a second intermediate by creating another trustpoint (for example my.ca.intermediate2).

Step 3B: Install the identity certificate

If you generated the CSR on this ASA, the trustpoint already holds the matching private key. Import the signed identity certificate the CA returned:

crypto ca import my.ca.trustpoint certificate

Paste the issued certificate in PEM format, then type quit on its own line.

If you generated the CSR off-box and have a PKCS#12 bundle, import the whole bundle in one step. First, copy the .pfx / .p12 file onto the ASA (for example with SCP into disk0:), then base64-encode and import it:

crypto ca import my.ca.trustpoint pkcs12 <export-password>

Paste the base64-encoded PKCS#12 (you can generate it with openssl base64 -in cert.pfx), end with quit.

Step 4B: Bind the trustpoint to an interface

Tell the ASA to use the new trustpoint for SSL/TLS on the interface that serves ASDM, HTTPS admin or AnyConnect:

ssl trust-point my.ca.trustpoint outside
write memory

Replace outside with the nameif of the interface that terminates the sessions. This single global ssl trust-point bind serves both the ASDM/HTTPS admin interface and the AnyConnect SSL VPN portal on that interface, so there is no separate bind inside the webvpn context.

From ASA 9.4 onwards you can also bind per-protocol on the same interface, for example a different trustpoint for DTLS than for TLS, with ssl trust-point <name> <interface> <protocol>. For most deployments a single bind on the outside interface is what you want.

Test the SSL installation

Open the ASDM or AnyConnect portal URL in a browser, check the padlock, and inspect the issued-to and issued-by fields to confirm the new certificate is being served. For a deeper external check (chain order, expiration, supported protocols), run our SSL Checker against the public hostname.

Frequently Asked Questions

Is the Cisco ASA 5500 still supported in 2026?

The classic ASA 5500 (5505, 5510, 5520, 5540, 5550) is past Cisco’s Last Day of Support and receives no new software or security fixes. Among the ASA 5500-X models, the 5512-X and 5515-X reached Last Day of Support on August 31, 2022, the 5585-X on May 31, 2023, and the 5525-X, 5545-X and 5555-X on September 30, 2025. The 5506-X, 5508-X and 5516-X reach their Last Day of Support on August 31, 2026. You can still install certificates on any unit you own, but plan to migrate to a Cisco Secure Firewall appliance.

Do I install the certificate under Identity Certificates or CA Certificates?

Your server (primary) certificate goes under Identity Certificates, because it represents the ASA’s own identity. The CA chain (root and intermediates) goes under CA Certificates. When you import a .pfx / .p12 bundle through Identity Certificates, ASDM unpacks the chain and adds the intermediates under CA Certificates automatically.

Why does the ASA still show its self-signed certificate after I installed mine?

Installing a trustpoint stores the certificate, but the ASA only presents it once you bind that trustpoint to the interface. In ASDM, set it under Configuration > Device Management > Advanced > SSL Settings; from the CLI, run ssl trust-point <name> <interface>. Until then, the ASA keeps serving its built-in self-signed certificate.

How do I install the same certificate for both ASDM and AnyConnect?

You need only one bind. The global command ssl trust-point my.ca.trustpoint outside sets the SSL certificate for that interface, and both the ASDM/HTTPS admin service and the AnyConnect SSL VPN portal on that interface present it. There is no separate trustpoint bind inside the webvpn context.

Do I need to reload the ASA after installing the certificate?

No. The change takes effect as soon as you apply the ssl trust-point binding and write the configuration. Existing sessions keep using the old certificate until they reconnect; new sessions immediately negotiate against the new one.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.