Redirecting you to
Tech Document Sep 25, 2018

How to Install Certificates on Cisco ASA 5500 VPN

This article will go into detail on how to install Certificates on Cisco ASA 5500 VPN.

Installing your SSL Certificate in the Adaptive Security Device Manager (ASDM)

  1. Download your Intermediate and Primary Certificate files (the XYZRSAAddTrustCA.crt/XYZRSADomain/Organization/EVSecureServerCA.crt and your_domainname_com.crt) from your Customer Account to the directory where you will keep your certificate files.
  2. In ASDM select "Configuration" and then "Device Management."
  3. Expand "Certificate Management" and select "CA Certificates" and then "Add."
  4. With the option selected to "Install from a file," browse to the XYZRSAAddTrustCA.crt and XYZRSADomain/Organization/EVvalidationSecureServerCA.crt file and then click the "Install Certificate" button at the bottom of the "Install Certificate" window.

    Your Intermediate (or chain) certificate file is now installed. You will now need to install the your_domainname_com.crt file.

Note: There are 2 intermediates so you will have to do this step twice

  1. In ASDM select "Configuration" and then "Device Management."
  2. Expand "Certificate Management" and select "Identity Certificates."
  3. Select the appropriate identity certificate from when your CSR was generated (the "Issued By" field should show as not available and the "Expiry Date" field will show Pending...). Click the Install button.
  4. Browse to the appropriate identity certificate (the your_domainname_com.crt provided by us) and click "Install Certificate."

    At this point you should receive confirmation that the certificate installation was successful.

Configuring WebVPN with ASDM to Use the New SSL Certificate

  1. In ASDM select "Configuration" and then "Device Management."
  2. Click "Advanced" and then "SSL Settings."
  3. From "Certificates," choose the interface used to terminate WebVPN sessions, and then choose "Edit."
  4. From the "Certificate" drop-down, select the newly installed certificate, then "OK," and then "Apply."

    Configuring your certificate for use with the selected kind of WebVPN session is now complete.

Cisco SSL Certificates, Guides, & Tutorials

SSL Certificate Installation from the Cisco ASA command line (alternate installation method)

  1. From the ciscoasa(config)# line, enter the following text:

    crypto ca authenticate my.xyz.trustpoint

    Where my.xyz.trustpoint is the name of trustpoint created when your certificate request was generated.

  2. Next, enter the entire body of the xyzRSAAddTrustCA.crt file followed by the word "quit" on a line by itself (the xyzRSAAddTrustCA.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).

Note: Since there are 2 intermediates provided you will have to do this step again for the additional intermediate "xyzRSADomain/Organization/EVvalidationSecureServerCA.crt"

  1. When asked to accept the certificate, enter "yes".
  2. When the certificate has been successfully imported, enter "exit".

    Your Intermediate (or chain) certificate file is now installed. You will now need to install the your_domainname_com.crt file.

  3. From the ciscoasa(config)# line, enter the following text:

    crypto ca import my.xyz.trustpoint certificate

    Where my.xyz.trustpoint is the name of trustpoint created when your certificate request was generated.

  4. Next, enter the entire body of the your_domainname_com.crt file followed by the word "quit" on a line by itself (the your_domainname_com.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).

    You should then receive a message that the certificate was successfully imported.

Configuring WebVPN to Use the New SSL Certificate from the Cisco ASA command line

  1. From the ciscoasa(config)# line, enter the following text:

    ssl trust-point my.xyz.trustpoint outside

    wr mem

    Where my.xyz.trustpoint is the name of trustpoint created when your certificate request was generated and "outside" is the name of the interface being configured.

    Make sure to save the configuration.