41-18
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Configuring Digital Certificates
Obtaining Certificates Manually
To obtain certificates manually, perform the following steps:
Command Purpose
Step1 crypto ca authenticate trustpoint
Example:
hostname(config)# crypto ca authenticate Main
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line
by itself
MIIDRTCCAu+gAwIBAgIQKVcqP/KW74VP0NZzL+JbRTANBgkqhkiG
9w0BAQUFADCB
[ certificate data omitted ]
/7QEM8izy0EOTSErKu7Nd76jwf5e4qttkQ==
quit
INFO: Certificate has the following attributes:
Fingerprint: 24b81433 409b3fd5 e5431699 8d490d34
Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
% Certificate successfully imported
Imports the CA certificate for the configured
trustpoint.
Note This step assumes that you have already
obtained a base-64 encoded CA certificate
from the CA represented by the trustpoint.
Whether a trustpoint requires that you manually
obtain certificates is determined by the use of the
enrollment terminal command when you configure
the trustpoint. For more information, see the
“Configuring Trustpoints” section on page 41-10.
Step2 crypto ca enroll trustpoint
Example:
hostname(config)# crypto ca enroll Main
% Start certificate enrollment ..
% The fully-qualified domain name in the certificate
will be: securityappliance.example.com
% Include the device serial number in the subject
name? [yes/no]: n
Display Certificate Request to terminal? [yes/no]: y
Certificate Request follows:
MIIBoDCCAQkCAQAwIzEhMB8GCSqGSIb3DQEJAhYSRmVyYWxQaXgu
Y2lzY28uY29t
[ certificate request data omitted ]
jF4waw68eOxQxVmdgMWeQ+RbIOYmvt8g6hnBTrd0GdqjjVLt
---End - This line not part of the certificate
request---
Redisplay enrollment request? [yes/no]: n
Enrolls the ASA with the trustpoint. Generates a
certificate for signing data and depending on the type
of keys that you have configured, for encrypting data.
If you use separate RSA keys for signing and
encryption, the crypto ca enroll command displays
two certificate requests, one for each key. If you use
general-purpose RSA keys for both signing and
encryption, the crypto ca enroll command displays
one certificate request.
To complete enrollment, obtain a certificate for all
certificate requests generated by the crypto ca enroll
command from the CA represented by the applicable
trustpoint. Make sure that the certificate is in base-64
format.