ASA 8.x Manually Install SSL Certificate for use with WebVPN Configuration

Step 1. Verify that the Date, Time, and Time Zone Values are Accurate

ASDM Procedure

  1. Click Configuration, and then click Device Setup.

  2. Expand System Time, and choose Clock.

  3. Verify that the information listed is accurate.

    The values for Date, Time, and Time Zone must be accurate in order for proper certificate validation to occur.


Command Line Example

ciscoasa#show clock11:02:20.244 UTC Thu Jul 19 2007ciscoasa#

Step 2. Generate a Certificate Signing Request

A certificate signing request (CSR) is required in order for the 3rd party CA to issue an identity certificate. The CSR contains your ASA’s distinguished name (DN) string along with the ASA’s generated public key. The ASA uses the generated private key to digitally sign the CSR.

ASDM Procedure

  1. Click Configuration, and then click Device Management.

  2. Expand Certificate Management, and choose Identity Certificates.

  3. Click Add.


  4. Click the Add a new identity certificate radio button.

  5. For the Key Pair, click New.


  6. Click the Enter new key pair name radio button. You should distinctly identify the key pair name for recognition purposes.

  7. Click Generate Now.

    The key pair should now be created.

  8. To define the Certificate Subject DN, click Select, and configure the attributes listed in this table:

    Table 4.1: DN Attributes

    Attribute Description
    CN FQDN (Full Qualified Domain Name) that will be used for connections to your firewall. EX:
    OU Department Name
    O Company Name (Avoid using Special Characters)
    C Country Code (2 Letter Code without Punctuation)
    St State (Must be spelled out completrly EX: North Carolina)
    L City

    In order to configure these values, choose a value from the Attribute drop-down list, enter the value, and click Add.


    Note: Some 3rd party vendors require particular attributes to be included before an identity certificate is issued. If you are unsure of the required attributes, check with your vendor for details.

  9. Once the appropriate values are added, click OK.

    The Add Identity Certificate dialog box appears with the Certificate Subject DN field populated.

  10. Click Advanced.


  11. In the FQDN field, enter the FQDN that will be used to access the device from the internet.

    This value should be same FQDN you used for the Common Name (CN).

  12. Click OK, and then click Add Certificate.

    You are prompted to save the CSR to a file on your local machine.


  13. Click Browse, choose a location in which to save the CSR, and save the file with the .txt extension.

    Note: When you save the file with a .txt extension, you can open the file with a text editor (such as Notepad) and view the PKCS#10 request.

  14. Submit the saved CSR to your 3rd party vendor. Once you submit the CSR to your 3rd party vendor, they will provide you the identity certificate to be installed on the ASA.

Works well – GoDaddy / Starfield 5 year cert for $130

Leave a Reply

Your email address will not be published. Required fields are marked *