Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Exporting an Identity Certificate, Generating a Certificate Signing Request

44-19

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter44 Configuring Digital Certificates

Configuring Identity Certificates Authentication

Exporting an Identity Certificate

You can export a certificate configuration with all associated keys and certificates in PKCS12 format,

which is the public key cryptography standard, and can be base64 encoded or in hexadecimal format. A

complete configuration includes the entire chain (root CA certificate, identity certificate, key pair) but

not enrollment settings (subject name, FQDN and so on). This feature is commonly used in a failover or

load-balancing configuration to replicate certificates across a group of ASAs; for example, remote

access clients calling in to a central organization that has several units to service the calls. These units

must have equivalent certificate configurations. In this case, an administrator can export a certificate

configuration and then import it across the group of ASAs.

To export an identity certificate, perform the following steps:

Step1 Click Export to display the Export Certificate dialog box.

Step2 Enter the name of the PKCS12 format file to use in exporting the certificate configuration. Alternatively,

click Browse to display the Export ID Certificate File dialog box to find the file to which you want to

export the certificate configuration.

Step3 Choose the certificate format by clicking the PKCS12 Format radio button or the PEM Format radio

button.

Step4 Enter the passphrase used to encrypt the PKCS12 file for export.

Step5 Confirm the encryption passphrase.

Step6 Click Export Certificate to export the certificate configuration.

An information dialog box appears, informing you that the certificate configuration file has been

successfully exported to the location that you specified.

Generating a Certificate Signing Request

To generate a certificate signing request to send to Entrust, perform the following steps:

Step1 Click Enroll ASA SSL VPN with Entrust to display the Generate Certificate Signing Request dialog

box.

Step2 In the Key Pair area, perform the following steps:

a. Choose one of the configured key pairs from the drop-down list.

b. Click Show to display the Key Details dialog box, which provides information about the selected

key pair, including date and time generated, usage (general or special purpose), modulus size, and

key data.

c. Click OK when you are done to close Key Details dialog box.

d. Click New to display the Add Key Pair dialog box. To continue, go to Step 8 of the “Adding or

Importing an Identity Certificate” section on page 44-16. When you generate the key pair, you can

send it to the ASA or save it to a file.

Step3 In the Certificate Subject DN area, enter the following information:

a. The FQDN or IP address of the ASA.

b. The name of the company.

Cisco Systems Exporting an Identity Certificate, Generating a Certificate Signing Request