This is likely more for myself than anyone else, because I’ve had to create so many KEY and CSR files recently for all sorts of third party devices and appliances. Assuming you have access to a Linux server with OpenSSL you can easily and quickly generate the private key and certificate request with very little hassle.
We need to generate the following pieces:
- Generate a private key for this specific use
- Using the private key generate Certificate Signing Request (CSR)
- Have the CSR signed by a private or public Certificate Authority which will provide the certificate
- Upload the private key and signed certificate to your device or system.
Let’s start by creating a directory just for this specific certificate, makes it easier to track all the files we’ll have when we’re complete. In this example I’m going to request a certificate for a Cisco ASA to be used with the Cisco AnyConnect VPN client, vpn.acme.com.
mkdir ~/vpn.acme.com/ cd ~/vpn.acme.com/
Let’s generate a private key, using a key size of 4096 which should future proof us sufficiently.
openssl genrsa -out vpn.acme.com.key 4096
Now let’s generate a SHA 256 certificate request using the private key we generated above.
openssl req -new -sha256 -key vpn.acme.com.key -out vpn.acme.com.csr
We now need to take the certificate request and have that signed by a Certificate Authority. The resulting certificate (filename: vpn.acme.com.crt) will need to be installed along with the private key onto the appliance or device that we’re generating the certificate for.
Since we’re working with a Cisco ASA we need to combine the private key, certificate and any intermediate certificate authorities into a single PKCS12 file so we can upload that file into our Cisco ASA. Again we’ll use OpenSSL for this task and it’s pretty easy. (You’ll be prompted to set a password on the file, make sure you don’t forget it because you’ll need it to upload the file into the Cisco ASA).
openssl pkcs12 -export -in vpn.acme.com.crt -inkey vpn.acme.com.key \ -certfile public-intermediate-ca.crt -out vpn.acme.com_bundle.p12
Now we can upload the bundle file (vpn.acme.com_bundle.p12) to the Cisco ASA.
Cheers!
Woger says
Hello Michael!
Thank you for your ssl-guidance.
Just one note regarding keysize. If the keysize is largen than 2048 bits, the certificate can not be used for securing the the webssl/anyconnect.
“2. ASA currently does not support 4096 bit keys (Cisco bug ID CSCut53512) for SSL server authentication. However, IKEv2 does support the use of 4096 bit server certificates on the ASA 5580, 5585, and 5500-X platforms alone. ”
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html
Cheers,
Chris
Michael McNamara says
Thanks for the tip Chris!