By Manny Fernandez

November 1, 2016

Creating a Certificate Signing Request on the ASA

First things first; check the time on your ASA.  You can do this with the following command:

show clock

If the time is not set correctly, you can set the time zone and use the ‘set clock’ command to set the correct time.

Now lets get started.  We first need to create a public/private key pair

crypto key generate rsa label monkey.key modulus 2048

Now we create a ’TrustPoint’ which we will reference the key pair from above. We also define the DN

We now define the attribute-value These are the common attributes set:

CN: CommonName
OU: Organizational Unit
O: Organization
L: Locality
S: State Or Province Name
C: Country Name
crypto ca trustpoint access.monkey.trustpoint

subject-name CN=access.monkey.com,OU=access,O=monkey.com,C=US,St=Florida,L=DC
keypair monkey.key
fqdn access.monkey.com
enrollment terminal
exit

Now we will generate the actual CSR (Certificate Signing Request). This will be a Base64 encoded PEM format. The output will need to be sent to the CA server for signing.

crypto ca enroll access.monkey.trustpoint

% Start certificate enrollment ..
% The subject name in the certificate will be: CN=access.monkey.com,OU=access,O=monkey.com,C=US,St=Florida,L=DC
% The fully-qualified domain name in the certificate will be: access.monkey.com
% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

bieteeDaV8ek1Ahthairi0thoy1fua2Eoph7duerai7eepichaey9aeziequ7shi
thahzohphahca3laiYiapaiB3reeneifaeXeeGi8Caecaib5ieth6iwuiCh9aeM8
chu4ve1ooxae8oodoo6ieQuahn7oay7Zei6Shoo2jajohchi0hiexoijookiengi
ieh6coh5noos9BeiMie3saig9MuiQueid6ithoovaineap0vaiT4joogu4lun5to
uifiedaigohdo1eev4ook0ohoh5aeC4ael0LeiNgi5tahth7aoquaech1ibahc4n
jihiepohtanaeyePiexeiVohgaf3peesahh2phicheshai9QuioPideSahsah3To
eiL6Ui6choh5eiH9PohlaiyoogibeipohNa1ja5oov6iith6aejohph3go2Goh3a
Aegeuwah1yoocei6eiGahquieshoh0Iev1AhpheeZ0rei9ohgaewah5ooSaiJ0ai
fieD1dooleas6phooweixenijaimaiy5ien1phieQuuz0eiSoop7eizaiduu6ung
ukootohs3ohng3aeth4ca2quaineichaizailaezie2ahjaefaipee4shei4WahH
xeaphahNohChiezakooZiedae5oodieWoo7ahghu8dohK9jaineiVah5iex0aep2
theengah4ohl3Mahl7iew8pi0oRoop8AichibaezohBu2yae5phei0edeifug8ze

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no
primate-fw-01(config)#

 

Hope this helps

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story