If your firewall outside interfacing is facing outside network for remote management or using SSL VPN, you should deploy SSL certificate rather than self-signed certificate to get better security.
So, below steps can help you at "how to install and activate ssl certificate" on your Cisco ASA Firewall.
You only need 3 steps to do that.
1) Create TrustPoint and Generate a CSR
2) Enroll for Certificate
3) Install
But your Cisco ASA firewall must meet below requirement to do above steps.
1) Your ASA Firewall Software Version should be 8.0 and above.
2) You ASDM version should be 6.0 and above.
You can do above steps via Command Line but you can do mistake very easily if you are not CLI experts and this is first time for you.
So, I'd recommed you to use ASDM.
Step 1 & 2 : Generate TrustPoint and CSR, Enroll for Certificate
a) Generate TrustPoint and Key pair
1) Within ASDM, click Configuration > Device Management
2) Click Certificate Management > Identity Certificates > Add > Add a new identity certificate (Take note the TrustPoint Name in this steps as you need to use it with generate key later)
3) For the Key Pair, click New > Enter new key pair name
4) Enter a unique key pair name for the certificate
5) Select the key size as 2048
6) To complete the generation of the key pair, click Generate Now
b) Generate a certificate signing request (CSR) file
1) To enter certificate information, click Select
2) From the drop-down list, select the following attributes > enter value > click Add
3) The following fields are required:
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
4) Once the appropriate values are added, click OK > Advanced
5) In the FQDN field, enter the FQDN that will be used to access the device from the Internet:
NOTE - If enrolling for a Subject Alternative Name certificate leave this field blank.
6) Click OK > Add Certificate > Browse
7) Choose a location where to save the request file
8) In this step, you can go Publisher Website and verify your CSR for the information you put above whether correct or not.
9) Once you confirmed all information, proceed with Enrollment.
3) Install the SSL Certificate
After you wait around 30 minutes (miniumun) to 3 days (maximum), your SSL Certificate will be ready to use.
The Publisher will send your certificate via email to you or you can download it from their website too.
For Cisco ASA SSL Certificate installation, you need below certificate download and save them in your PC as (.pem or .crt format) first.
- Root CA Certificate
- Primary and Secondary Intermediate CA Certificates
Let's install Root and Intermediate CA certificates now.
a) Install the Symantec Root (CA) Certificate
1) Within ASDM, click Configuration > Device Management
2) Click Certificate Management > CA Certificates
3) Click Add
4) Click Paste certificate in PEM Format > paste the root certificate into the text field (Open saved Root Certificate with Notepad and copy, paste)
5) Click Install Certificate
A dialog box appears that confirms the installation was successful.
b) Install the Symantec Intermediate (CA) Certificates
1) Within ASDM, click Configuration > Device Management
2) Click Certificate Management > CA Certificates
3) Click Add
4) Click Paste certificate in PEM Format > paste the Primary Intermediate certificate into the text field (Open saved Intermediate Certificate with Notepad and copy, paste)
5) Click Install Certificate
6) Repeat the same steps to install the Secondary Intermediate certificate
A dialog box appears that confirms the installation was successful.
c) Obtain the SSL Certificate
1) The SSL certificate will be sent from publisher by email. The certificate is included as an attachment (Cert.cer) and it is also imbedded in the body of the email.
2) Copy and paste the certificate into a text file using Notepad
The text file should look like:
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
3) Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white spaces,
extra line breaks or additional characters have been inadvertently added.
NOTE: You can also download the certificate from your Publisher account at their website.
4) Save the file as (.pem or .crt format) in your PC.
d) Install the SSL Certificate
1) Click Configuration > Device Management
2) Click Certificate Management > Identity Certificates
3) Select the identity certificate you created (The Expiry Date should display Pending)
4) Click Install
5) Click Paste the certificate data in base-64 format > paste the certificate into the text field
6) Click Install Certificate
A dialog box appears that confirms the installation was successful.
e) Activate the newly installed SSL certificate for use
1) Click Configuration > Device Management
2) Expand Advanced, and then expand SSL Settings
3) Under Certificates, select the interface that is used to termintate WebVPN sessions
4) Click Edit
5) In the Certificate drop-down list, choose the certificate that you just installed
6) Click OK
7) Click Apply
8) Your new certificate should now be activated for use with your ASA.
9) You can verify the installation of your certificate with tools that provide from publisher or tools from third party publisher (like digicert).
Yes. Now your SSL Certificate has been installed and activated.
May you all be happy.
(Be knowledgeable, pass it on then)
So, below steps can help you at "how to install and activate ssl certificate" on your Cisco ASA Firewall.
You only need 3 steps to do that.
1) Create TrustPoint and Generate a CSR
2) Enroll for Certificate
3) Install
But your Cisco ASA firewall must meet below requirement to do above steps.
1) Your ASA Firewall Software Version should be 8.0 and above.
2) You ASDM version should be 6.0 and above.
You can do above steps via Command Line but you can do mistake very easily if you are not CLI experts and this is first time for you.
So, I'd recommed you to use ASDM.
Step 1 & 2 : Generate TrustPoint and CSR, Enroll for Certificate
a) Generate TrustPoint and Key pair
1) Within ASDM, click Configuration > Device Management
2) Click Certificate Management > Identity Certificates > Add > Add a new identity certificate (Take note the TrustPoint Name in this steps as you need to use it with generate key later)
3) For the Key Pair, click New > Enter new key pair name
4) Enter a unique key pair name for the certificate
5) Select the key size as 2048
6) To complete the generation of the key pair, click Generate Now
1) To enter certificate information, click Select
2) From the drop-down list, select the following attributes > enter value > click Add
3) The following fields are required:
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
4) Once the appropriate values are added, click OK > Advanced
5) In the FQDN field, enter the FQDN that will be used to access the device from the Internet:
NOTE - If enrolling for a Subject Alternative Name certificate leave this field blank.
6) Click OK > Add Certificate > Browse
7) Choose a location where to save the request file
8) In this step, you can go Publisher Website and verify your CSR for the information you put above whether correct or not.
9) Once you confirmed all information, proceed with Enrollment.
3) Install the SSL Certificate
After you wait around 30 minutes (miniumun) to 3 days (maximum), your SSL Certificate will be ready to use.
The Publisher will send your certificate via email to you or you can download it from their website too.
For Cisco ASA SSL Certificate installation, you need below certificate download and save them in your PC as (.pem or .crt format) first.
- Root CA Certificate
- Primary and Secondary Intermediate CA Certificates
Let's install Root and Intermediate CA certificates now.
a) Install the Symantec Root (CA) Certificate
1) Within ASDM, click Configuration > Device Management
2) Click Certificate Management > CA Certificates
3) Click Add
4) Click Paste certificate in PEM Format > paste the root certificate into the text field (Open saved Root Certificate with Notepad and copy, paste)
5) Click Install Certificate
A dialog box appears that confirms the installation was successful.
b) Install the Symantec Intermediate (CA) Certificates
1) Within ASDM, click Configuration > Device Management
2) Click Certificate Management > CA Certificates
3) Click Add
4) Click Paste certificate in PEM Format > paste the Primary Intermediate certificate into the text field (Open saved Intermediate Certificate with Notepad and copy, paste)
5) Click Install Certificate
6) Repeat the same steps to install the Secondary Intermediate certificate
A dialog box appears that confirms the installation was successful.
c) Obtain the SSL Certificate
1) The SSL certificate will be sent from publisher by email. The certificate is included as an attachment (Cert.cer) and it is also imbedded in the body of the email.
2) Copy and paste the certificate into a text file using Notepad
The text file should look like:
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
3) Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white spaces,
extra line breaks or additional characters have been inadvertently added.
NOTE: You can also download the certificate from your Publisher account at their website.
4) Save the file as (.pem or .crt format) in your PC.
d) Install the SSL Certificate
1) Click Configuration > Device Management
2) Click Certificate Management > Identity Certificates
3) Select the identity certificate you created (The Expiry Date should display Pending)
4) Click Install
5) Click Paste the certificate data in base-64 format > paste the certificate into the text field
6) Click Install Certificate
A dialog box appears that confirms the installation was successful.
e) Activate the newly installed SSL certificate for use
1) Click Configuration > Device Management
2) Expand Advanced, and then expand SSL Settings
3) Under Certificates, select the interface that is used to termintate WebVPN sessions
4) Click Edit
5) In the Certificate drop-down list, choose the certificate that you just installed
6) Click OK
7) Click Apply
8) Your new certificate should now be activated for use with your ASA.
9) You can verify the installation of your certificate with tools that provide from publisher or tools from third party publisher (like digicert).
Yes. Now your SSL Certificate has been installed and activated.
May you all be happy.
(Be knowledgeable, pass it on then)
Comments
Post a Comment