Knowledge Base

How to Generate a Certificate Signing Request (CSR) in Cisco ASA 5500 SSL VPN/Firewall? 

Overview 

This guide provides the step-by-step process for generating a Certificate Signing Request (CSR), which is the first step in obtaining an X.509 digital certificate. A CSR contains the public key and identity information required by a Certificate Authority (CA) to issue a certificate. This guide covers three methods: using ASDM, using ASA CLI, and using OpenSSL. 

 

Prerequisites 

Before you begin, ensure you have the following: 

• Access to an ASA device or a workstation with OpenSSL installed 

• Required keypair size as mandated by your Certificate Authority (minimum 2048 bits per CA/Browser Forum guidelines) 

• DNS/FQDN information for the device 

• Administrative access to ASDM or ASA CLI 

• (For OpenSSL) Ability to create and store config files in the working directory 

Notes: 

1. Confirm keypair size with your CA. 

2. ASA does not support 4096‑bit keys for SSL server authentication (Cisco bug ID CSCut53512). 

3. Use the device’s DNS name in the CSR FQDN field to avoid certificate trust warnings. 

 

Procedure 
  

There are three methods to generate CSR in Cisco ASA.  

• Configure with ASDM.  

• Configure with the ASA CLI.  

• Use OpenSSL to Generate the CSR.  

  

 

Method 1: Generate CSR Using ASDM 

Step 1: Navigate to Certificate Management 

Go to Configuration > Remote Access VPN > Certificate Management and select Identity Certificates. 
Click Add. 

 

Step 2: Create a Trustpoint 

• Enter a Trustpoint Name. 

• Select “Add a new identity certificate”. 

Step 3: Create a Key Pair 

• For Key Pair, click New. 

• Choose key type: RSA or ECDSA. 

• Enter a meaningful key name. 

• Choose Key Size (e.g., 2048 bits). 

• Click Generate Now. 

 

Step 4: Configure Certificate Subject DN 

Click Select and configure required attributes (e.g., CN, O, C, ST, L). 

 
Click Add after entering each attribute. 

 

 

 

Note: Some certificate vendors require specific attributes. Contact your CA if unsure. 

Step 5: Configure Advanced Options 

• Click Advanced. 

 

• Enter the device’s FQDN. 

 

• Keep the Enable CA flag checked (recommended). 

Click OK, then Add Certificate. 

 

Step 6: Save the CSR 

A prompt appears to save the CSR file. 
Click Browse, select a location, and save the file with a .txt extension. 

 

Method 2: Generate CSR Using the ASA CLI 

Step 1: Generate the Key Pair 

MainASA(config)# crypto key generate rsa label SSL-Keypair modulus 2048 

Step 2: Create and Configure the Trustpoint 

MainASA(config)# crypto ca trustpoint SSL-Trustpoint 

MainASA(config-ca-trustpoint)# enrollment terminal 

MainASA(config-ca-trustpoint)# fqdn remoteasavpn.url 

MainASA(config-ca-trustpoint)# subject-name CN=remoteasavpn.url,O=Company Inc,C=US,St=California,L=San Jose 

MainASA(config-ca-trustpoint)# keypair SSL-Keypair 

MainASA(config-ca-trustpoint)# exit 

Step 3: Enroll and generate the CSR 

MainASA(config)# crypto ca enroll SSL-Trustpoint 

Follow prompts to confirm details. 
 

WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate is used for VPN authentication, this may cause connection problems.  

  

Would you like to continue with this enrollment? [yes/no]: yes  

% Start certificate enrollment ..  

% The subject name in the certificate is: subject-name CN=(remoteasavpn.url),  

O=Company Inc,C=US,St=California,L=San Jose  

  

% The fully-qualified domain name in the certificate will be: (remoteasavpn.url),  

  

% Include the device serial number in the subject name? [yes/no]: no  

  

Display Certificate Request to terminal? [yes/no]: yes  

Certificate Request:  

-----BEGIN CERTIFICATE REQUEST-----  

MIIDDjCCAfYCAQAwgYkxETAPBgNVBAcTCFNhbiBKb3NlMRMwEQYDVQQIEwpDYWxp  

Zm9ybmlhMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQ29tcGFueSBJbmMxGjAYBgNV  

BAMTEXZwbi5yZW1vdGVhc2EuY29tMSAwHgYJKoZIhvcNAQkCFhF2cG4ucmVtb3Rl  

YXNhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK62Nhb9ktlK  

uR3Q4TmksyuRMqJNrb9kXpvA6H200PuBfQvSF4rVnSwKOmu3c8nweEvYcdVWV6Bz  

BhjXeovTVi17FlNTceaUTGikeIdXC+mw1iE7eRsynS/d4mzMWJmrvrsDNzpAW/EM  

SzTca+BvqF7X2r3LU8Vsv6Oi8ylhco9Fz7bWvRWVtO3NDDbyolC9b/VgXMuBitcc  

rzfUbVnm7VZDOf4jr9EXgUwXxcQidWEABlFrXrtYpFgBo9aqJmRp2YABQ1ieP4cY  

3rBtgRjLcF+S9TvHG5m4v7v755meV4YqsZIXvytIOzVBihemVxaGA1oDwfkoYSFi  

4CzXbFvdG6kCAwEAAaA/MD0GCSqGSIb3DQEJDjEwMC4wDgYDVR0PAQH/BAQDAgWg  

MBwGA1UdEQQVMBOCEXZwbi5yZW1vdGVhc2EuY29tMA0GCSqGSIb3DQEBBQUAA4IB  

AQBZuQzUXGEB0ix1yuPK0ZkRz8bPnwIqLTfxZhagmuyEhrN7N4+aQnCHj85oJane  

4ztZDiCCoWTerBS4RSkKEHEspu9oohjCYuNnp5qa91SPrZNEjTWw0eRn+qKbId2J  

jE6Qy4vdPCexavMLYVQxCny+gVkzPN/sFRk3EcTTVq6DxxaebpJijmiqa7gCph52  

YkHXnFne1LQd41BgoLlCr9+hx74XsTHGBmI1s/9T5oAX26Ym+B2l/i/DP5BktIUA  

8GvIY1/ypj9KO49fP5ap8al0qvLtYYcCcfwrCt+OojOrZ1YyJb3dFuMNRedAX37t  

DuHNl2EYNpYkjVk1wI53/5w3  

-----END CERTIFICATE REQUEST-----  

  

Redisplay enrollment request? [yes/no]: no  

 

Choose Display Certificate Request to print the CSR in PKCS#10 format. 
Copy it into a text file for submission to the CA. 

 

Method 3: Generate CSR Using OpenSSL 

Step 1: Confirm OpenSSL Installation 

• Installed by default on MacOS and Linux 

Step 2: Create an OpenSSL Config File 

Create a file named openssl.cnf (or openssl.cfg for newer versions) with the following content: 

[req] 

default_bits = 2048 

default_keyfile = privatekey.key 

distinguished_name = req_distinguished_name 

req_extensions = req_ext 

  

[req_distinguished_name] 

commonName = Common Name (eg, YOUR name) 

commonName_default = asa.remotevpn.url 

  

countryName = Country Name (2 letter code) 

countryName_default = US 

  

stateOrProvinceName = State or Province Name (full name) 

stateOrProvinceName_default = California 

  

localityName = Locality Name (eg, city) 

localityName_default = San Jose 

  

0.organizationName = Organization Name (eg, company) 

0.organizationName_default = Company Inc 

  

[req_ext] 

subjectAltName = @alt_names 

  

[alt_names] 

DNS.1 = *.remoteasa.com 

Step 3: Generate CSR and Private Key 

Run: 

openssl req -new -nodes -out CSR.csr -config openssl.cnf 

This generates: 

• privatekey.key 

• CSR.csr 

You will be prompted to confirm DN information. 

Step 4: Combine Certificates into PKCS12 (After CA Issues Certificate) 

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt 

Step 5: Convert PKCS12 to Base64 

openssl base64 -in certificate.pfx -out certificate.p12 

 

Verification 

To verify CSR generation and certificate installation: 

• For ASDM/CLI: 
  Check that the identity certificate and CA certificate appear under Certificate Management → Identity Certificates. 

• For OpenSSL: 
  Open the CSR file and confirm it begins with: 

• -----BEGIN CERTIFICATE REQUEST----- 

• After certificate installation: 
  Access the device using its FQDN and ensure the browser displays a valid TLS padlock without warnings. 

 

 

Related Articles:  
Tags: