By Manny Fernandez

November 1, 2016

Creating a Certificate Signing Request on the ASA

First things first; check the time on your ASA.  You can do this with the following command:

show clock

If the time is not set correctly, you can set the time zone and use the ‘set clock’ command to set the correct time.

Now lets get started.  We first need to create a public/private key pair

crypto key generate rsa label monkey.key modulus 2048

Now we create a ’TrustPoint’ which we will reference the key pair from above. We also define the DN

We now define the attribute-value These are the common attributes set:

CN: CommonName
OU: Organizational Unit
O: Organization
L: Locality
S: State Or Province Name
C: Country Name
crypto ca trustpoint access.monkey.trustpoint

subject-name CN=access.monkey.com,OU=access,O=monkey.com,C=US,St=Florida,L=DC
keypair monkey.key
fqdn access.monkey.com
enrollment terminal
exit

Now we will generate the actual CSR (Certificate Signing Request). This will be a Base64 encoded PEM format. The output will need to be sent to the CA server for signing.

crypto ca enroll access.monkey.trustpoint

% Start certificate enrollment ..
% The subject name in the certificate will be: CN=access.monkey.com,OU=access,O=monkey.com,C=US,St=Florida,L=DC
% The fully-qualified domain name in the certificate will be: access.monkey.com
% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

bieteeDaV8ek1Ahthairi0thoy1fua2Eoph7duerai7eepichaey9aeziequ7shi
thahzohphahca3laiYiapaiB3reeneifaeXeeGi8Caecaib5ieth6iwuiCh9aeM8
chu4ve1ooxae8oodoo6ieQuahn7oay7Zei6Shoo2jajohchi0hiexoijookiengi
ieh6coh5noos9BeiMie3saig9MuiQueid6ithoovaineap0vaiT4joogu4lun5to
uifiedaigohdo1eev4ook0ohoh5aeC4ael0LeiNgi5tahth7aoquaech1ibahc4n
jihiepohtanaeyePiexeiVohgaf3peesahh2phicheshai9QuioPideSahsah3To
eiL6Ui6choh5eiH9PohlaiyoogibeipohNa1ja5oov6iith6aejohph3go2Goh3a
Aegeuwah1yoocei6eiGahquieshoh0Iev1AhpheeZ0rei9ohgaewah5ooSaiJ0ai
fieD1dooleas6phooweixenijaimaiy5ien1phieQuuz0eiSoop7eizaiduu6ung
ukootohs3ohng3aeth4ca2quaineichaizailaezie2ahjaefaipee4shei4WahH
xeaphahNohChiezakooZiedae5oodieWoo7ahghu8dohK9jaineiVah5iex0aep2
theengah4ohl3Mahl7iew8pi0oRoop8AichibaezohBu2yae5phei0edeifug8ze

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no
primate-fw-01(config)#

 

Hope this helps

Leave a comment

Your email address will not be published. Required fields are marked *

Recent posts

  • There are many options when troubleshooting in FortiGate firewalls. ... Full Story

  • Have you ever had an IPS signature that continues... Full Story

  • Use case:  Customer has a Split Tunnel Enabled but... Full Story