Cisco ASA 5500 VPN Certificate Installation
Posted by Support Team Lead - FL, Last modified by Support Team Lead - FL on December 06 2016 14:05

Install SSL Certificate in Cisco Adaptive Security Appliance 5500

If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see
SSL Certificate CSR Creation for Cisco ASA 5500 VPN.

Installing your SSL Certificate in the Adaptive Security Device Manager (ASDM)

For SSL Installation instructions showing the GUI, please see
Cisco ASA 5520 SSL Installation Instructions.

  1. Download your Intermediate and Primary Certificate files (the ComodoRSAAddTrustCA.crt/ComodoRSADomain/Organization/EVSecureServerCA.crt and your_domainname_com.crt) from your Comodo Customer Account to the directory where you will keep your certificate files.

  2. In ASDM select "Configuration" and then "Device Management."

  3. Expand "Certificate Management" and select "CA Certificates" and then "Add."

  4. With the option selected to "Install from a file," browse to the ComodoRSAAddTrustCA.crt and ComodoRSADomain/Organization/EVvalidationSecureServerCA.crt file and then click the "Install Certificate" button at the bottom of the "Install Certificate" window.

    Your Intermediate (or chain) certificate file is now installed. You will now need to install the your_domainname_com.crt file.

Note: There are 2 intermediates so you will have to do this step twice

  1. In ASDM select "Configuration" and then "Device Management."

  2. Expand "Certificate Management" and select "Identity Certificates."

  3. Select the appropriate identity certificate from when your CSR was generated (the "Issued By" field should show as not available and the "Expiry Date" field will show Pending...). Click the Install button.

  4. Browse to the appropriate identity certificate (the your_domainname_com.crt provided by Comodo) and click "Install Certificate."

    At this point you should receive confirmation that the certificate installation was successful.

Configuring WebVPN with ASDM to Use the New SSL Certificate

  1. In ASDM select "Configuration" and then "Device Management."

  2. Click "Advanced" and then "SSL Settings."

  3. From "Certificates," choose the interface used to terminate WebVPN sessions, and then choose "Edit."

  4. From the "Certificate" drop-down, select the newly installed certificate, then "OK," and then "Apply."

    Configuring your certificate for use with the selected kind of WebVPN session is now complete.

Cisco SSL Certificates, Guides, & Tutorials

SSL Certificate Installation from the Cisco ASA command line (alternate installation method)

  1. From the ciscoasa(config)# line, enter the following text:

    crypto ca authenticate my.comodo.trustpoint

    Where my.comodo.trustpoint is the name of trustpoint created when your certificate request was generated.

  2. Next, enter the entire body of the ComodoRSAAddTrustCA.crt file followed by the word "quit" on a line by itself (the ComodoRSAAddTrustCA.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).

Note: Since there are 2 intermediates provided you will have to do this step again for the additional intermediate "ComodoRSADomain/Organization/EVvalidationSecureServerCA.crt"

  1. When asked to accept the certificate, enter "yes".

  2. When the certificate has been successfully imported, enter "exit".

    Your Intermediate (or chain) certificate file is now installed. You will now need to install the your_domainname_com.crt file.

  3. From the ciscoasa(config)# line, enter the following text:

    crypto ca import my.comodo.trustpoint certificate

    Where my.comodo.trustpoint is the name of trustpoint created when your certificate request was generated.

  4. Next, enter the entire body of the your_domainname_com.crt file followed by the word "quit" on a line by itself (the your_domainname_com.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).

    You should then receive a message that the certificate was successfully imported.

Configuring WebVPN to Use the New SSL Certificate from the Cisco ASA command line

  1. From the ciscoasa(config)# line, enter the following text:

    ssl trust-point my.comodo.trustpoint outside

    wr mem

    Where my.comodo.trustpoint is the name of trustpoint created when your certificate request was generated and "outside" is the name of the interface being configured.

    Make sure to save the configuration.

Troubleshooting:

  1. If your web site is publicly accessible, our SSL Certificate Tester tool can help you diagnose common problems.

  2. Open a web browser and visit your site using https. It is best to test with both Internet Explorer as well as Firefox, because Firefox will give you a warning if your intermediate certificate is not installed. You should not receive any browser warnings or errors. If you immediately receive a browser message about the site not being available, then the server may not yet be listening on port 443. If your web request takes a very long time, and then times out, a firewall blocking traffic on TCP port 443 to the web server.

(0 vote(s))
Helpful
Not helpful

Comments (0)