Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Create self enrolled Certificate for WebVPN

I am trying to create a self enrolled certificate for use in our lab for testing on ans ASA5520. A Cisco tech helped me create one once and I don't remember all the steps on how this was done. Can anyone help with this?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Create self enrolled Certificate for WebVPN

You can create a new trustpoint on the ASA, configured it for

"enrollment self" like this.

1. Configure the trustpoint. (You can have multiple CN's one for IP

address and one for FQDN, this will allow connecting via IP address or

hostname without a cert warning)

wb5540-FO(config)# sh run cry ca tr selfsigned

crypto ca trustpoint selfsigned

enrollment self

subject-name CN=10.10.1.1, CN=wb5540-FO.cisco.com

crl configure

2. Enroll the trustpoint

crypto ca enroll selfsigned

% The fully-qualified domain name in the certificate will be: wb5540-FO

% Include the device serial number in the subject name? [yes/no]: n

Generate Self-Signed Certificate? [yes/no]: y

wb5540-FO(config)#

3. View the resulting certificate

wb5540-FO(config)# sh cry ca cer selfsigned

Certificate

Status: Available

Certificate Serial Number: 31

Certificate Usage: General Purpose

Public Key Type: RSA (1024 bits)

Issuer Name:

hostname=wb5540-FO

cn=10.10.1.1

cn=wb5540-FO.cisco.com

Subject Name:

hostname=wb5540-FO

cn=10.10.1.1

cn=wb5540-FO.cisco.com

Validity Date:

start date: 13:47:37 UTC Jan 25 2006

end date: 13:47:37 UTC Jan 23 2016

Associated Trustpoints: selfsigned

4. To assigned it to be used for SSL configure it like this:

ssl trust-point selfsigned

1 REPLY
New Member

Re: Create self enrolled Certificate for WebVPN

You can create a new trustpoint on the ASA, configured it for

"enrollment self" like this.

1. Configure the trustpoint. (You can have multiple CN's one for IP

address and one for FQDN, this will allow connecting via IP address or

hostname without a cert warning)

wb5540-FO(config)# sh run cry ca tr selfsigned

crypto ca trustpoint selfsigned

enrollment self

subject-name CN=10.10.1.1, CN=wb5540-FO.cisco.com

crl configure

2. Enroll the trustpoint

crypto ca enroll selfsigned

% The fully-qualified domain name in the certificate will be: wb5540-FO

% Include the device serial number in the subject name? [yes/no]: n

Generate Self-Signed Certificate? [yes/no]: y

wb5540-FO(config)#

3. View the resulting certificate

wb5540-FO(config)# sh cry ca cer selfsigned

Certificate

Status: Available

Certificate Serial Number: 31

Certificate Usage: General Purpose

Public Key Type: RSA (1024 bits)

Issuer Name:

hostname=wb5540-FO

cn=10.10.1.1

cn=wb5540-FO.cisco.com

Subject Name:

hostname=wb5540-FO

cn=10.10.1.1

cn=wb5540-FO.cisco.com

Validity Date:

start date: 13:47:37 UTC Jan 25 2006

end date: 13:47:37 UTC Jan 23 2016

Associated Trustpoints: selfsigned

4. To assigned it to be used for SSL configure it like this:

ssl trust-point selfsigned

188
Views
0
Helpful
1
Replies
CreatePlease to create content