08-22-2006 12:27 PM
I am trying to create a self enrolled certificate for use in our lab for testing on ans ASA5520. A Cisco tech helped me create one once and I don't remember all the steps on how this was done. Can anyone help with this?
Solved! Go to Solution.
08-23-2006 03:07 PM
You can create a new trustpoint on the ASA, configured it for
"enrollment self" like this.
1. Configure the trustpoint. (You can have multiple CN's one for IP
address and one for FQDN, this will allow connecting via IP address or
hostname without a cert warning)
wb5540-FO(config)# sh run cry ca tr selfsigned
crypto ca trustpoint selfsigned
enrollment self
subject-name CN=10.10.1.1, CN=wb5540-FO.cisco.com
crl configure
2. Enroll the trustpoint
crypto ca enroll selfsigned
% The fully-qualified domain name in the certificate will be: wb5540-FO
% Include the device serial number in the subject name? [yes/no]: n
Generate Self-Signed Certificate? [yes/no]: y
wb5540-FO(config)#
3. View the resulting certificate
wb5540-FO(config)# sh cry ca cer selfsigned
Certificate
Status: Available
Certificate Serial Number: 31
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
hostname=wb5540-FO
cn=10.10.1.1
cn=wb5540-FO.cisco.com
Subject Name:
hostname=wb5540-FO
cn=10.10.1.1
cn=wb5540-FO.cisco.com
Validity Date:
start date: 13:47:37 UTC Jan 25 2006
end date: 13:47:37 UTC Jan 23 2016
Associated Trustpoints: selfsigned
4. To assigned it to be used for SSL configure it like this:
ssl trust-point selfsigned
08-23-2006 03:07 PM
You can create a new trustpoint on the ASA, configured it for
"enrollment self" like this.
1. Configure the trustpoint. (You can have multiple CN's one for IP
address and one for FQDN, this will allow connecting via IP address or
hostname without a cert warning)
wb5540-FO(config)# sh run cry ca tr selfsigned
crypto ca trustpoint selfsigned
enrollment self
subject-name CN=10.10.1.1, CN=wb5540-FO.cisco.com
crl configure
2. Enroll the trustpoint
crypto ca enroll selfsigned
% The fully-qualified domain name in the certificate will be: wb5540-FO
% Include the device serial number in the subject name? [yes/no]: n
Generate Self-Signed Certificate? [yes/no]: y
wb5540-FO(config)#
3. View the resulting certificate
wb5540-FO(config)# sh cry ca cer selfsigned
Certificate
Status: Available
Certificate Serial Number: 31
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
hostname=wb5540-FO
cn=10.10.1.1
cn=wb5540-FO.cisco.com
Subject Name:
hostname=wb5540-FO
cn=10.10.1.1
cn=wb5540-FO.cisco.com
Validity Date:
start date: 13:47:37 UTC Jan 25 2006
end date: 13:47:37 UTC Jan 23 2016
Associated Trustpoints: selfsigned
4. To assigned it to be used for SSL configure it like this:
ssl trust-point selfsigned
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide