Installation Instructions for Cisco ASA 5000 Series using the Command Line

Solution ID:    SO19541    Updated:    05/19/2017

Solution

This document provides installation instructions for Cisco ASA 5000 Series using the Command Line. If you are unable to use these instructions for your server, Symantec recommends that you contact the server vendor or the organization, which supports ASA .

Note: To install your certificates, you must access your Trustpoint. The Trustpoint is configured when you generated your original
Certificate Signing Request (CSR). If you no longer have the trustpoint information or it is lost, a new CSR must be generated,
please see SO19506. In that case you will also need to perform a revoke and replace of your current certfiicate, see SO7146
 

Step 1: Download the SSL Certificate & Intermediate CA Certificate

  1. Download the certificate from Symantec Trust Center account.
  2. The ZIP file you downloaded contains the following certificates:
    Note: Select the server platform as Cisco > ASA 5520 when downloading the certificate.
    • SSL certificate (i.e. ssl_certificate.crt, also known as end entity certificate, public key certificate, digital certificate or identity certificate).
    • Intermediate CA certificate (i.e. IntermediateCA.crt, also known as chained certificate or signer/issuer of the SSL certificate).
  3. Unzip the files onto the server where you will install the certificate.

 

Step 2: Install Intermediate CA Certificate to your Trustpoint

  1. Rename the intermediate ca file from IntermediateCA.crt to IntermediateCA.txt (from Step 1).
  2. To initiate the prompt to paste-in your Intermediate certificate files, perform the following command:

    ciscoasa(config)#crypto ca authenticate <Trustpoint name>.Trustpoint
     
  3. You are then prompted with:"Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself".
  4. Open the IntermediateCA.txt, copy the entire content and paste this information in the command line
  5. Make sure to include the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer.

    For Example

    Enter the base 64 encoded certificate.
    End with the word "quit" on a line by itself

    -----BEGIN CERTIFICATE-----
    MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
    LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
    HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
    FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
    dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
    ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
    IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
    MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
    RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
    ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
    TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
    Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
    iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
    AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
    dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
    BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
    aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
    KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
    j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
    L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
    b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
    BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
    A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
    lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
    tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
    -----END CERTIFICATE-----
    quit

    Manually pasted certificate into CLI.
    INFO: Certificate has the following attributes:
    Fingerprint:     32 f3 08 82 62 2b 87 cf 88 56 c6 3d b8 73 df 08 53 b4 dd 27
     
  6. Once you submit the intermediate c, you will be prompted if you would like to accept the certificate. You will want to submit "yes":

    Do you accept this certificate? [yes/no]: yes

    The output will display as follows:

    Trustpoint <name of Trustpoint> is a subordinate CA and 
     holds a non self-signed certificate.
    Trustpoint CA certificate accepted.

    % Certificate successfully imported
    ciscoasa(config)#
    ciscoasa(config-ca-trustpoint)# exit
     

Step 3: Install the SSL Certificate

  1. Rename the SSL file from ss_certificate.crt to ssl_certificate.txt (from Step 1).
  2. To initiate the prompt to install your new certificate, you will need to run the following command:

    ciscoasa(config)#crypto ca import <Trustpoint name>.Trustpoint certificate
  3. You are then prompted with: "Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself".
  4. Open the file you have created in Step 1,ssl_certificate.txt, copy the entire contents and paste this information in the command line
  5. Make sure to include the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer. 
    Note:Please do not copy/paste the actual certificate text below. This is just an example of what the SSL certificate text would look like.


    The fully-qualified domain name in the certificate will be: <common name of your certificate>
    Enter the base 64 encoded certificate.
    End with the word "quit" on a line by itself

    -----BEGIN CERTIFICATE-----
    MIIFZjCCBE6gAwIBAgIQMs/oXuu9K14eMGSf0mYjfTANBgkqhkiG9w0BAQUFADCB
    yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
    EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
    BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
    L3Rlc3RjYSAoYykwNTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
    cnZlciBUZXN0IENBMB4XDTA3MDcyNjAwMDAwMFoXDTA3MDgwOTIzNTk1OVowgbox
    CzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxQH
    UmFsZWlnaDEWMBQGA1UEChQNQ2lzY28gU3lzdGVtczEOMAwGA1UECxQFVFNXRUIx
    OjA4BgNVBAsUMVRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL2Nwcy90
    ZXN0Y2EgKGMpMDUxHDAaBgNVBAMUE2Npc2NvYXNhMS5jaXNjby5jb20wgZ8wDQYJ
    KoZIhvcNAQEBBQADgY0AMIGJAoGBAL56EvorHHlsIB/VRKaRlJeJKCrQ/9kER2JQ
    9UOkUP3mVPZJtYN63ZxDwACeyNb+liIdKUegJWHI0Mz3GHqcgEkKW1EcrO+6aY1R
    IaUE8/LiAZbA70+k/9Z/UR+v532B1nDRwbx1R9ZVhAJzA1hJTxSlEgryosBMMazg
    5IcLhgSpAgMBAAGjggHXMIIB0zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBDBgNV
    HR8EPDA6MDigNqA0hjJodHRwOi8vU1ZSU2VjdXJlLWNybC52ZXJpc2lnbi5jb20v
    U1ZSVHJpYWwyMDA1LmNybDBKBgNVHSAEQzBBMD8GCmCGSAGG+EUBBxUwMTAvBggr
    BgEFBQcCARYjaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nwcy90ZXN0Y2EwHQYD
    UmFsZWlnaDEWMBQGA1UEChQNQ2lzY28gU3lzdGVtczEOMAwGA1UECxQFVFNXRUIx
    Kn+rRsU2AgZwJ4daMHgGCCsGAQUFBwEBBGwwajAkBggrBgEFBQcwAYYYaHR0cDov
    L29jc3AudmVyaXNpZ24uY29tMEIGCCsGAQUFBzAChjZodHRwOi8vU1ZSU2VjdXJl
    LWFpYS52ZXJpc2lnbi5jb20vU1ZSVHJpYWwyMDA1LWFpYS5jZXIwbgYIKwYBBQUH
    AQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYG
    DLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9n
    bzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQAnym4GVThPIyL/9ylDBd8N7/yW3Ov3
    bIirHfHJyfPJ1znZQXyXdObpZkuA6Jyu03V2CYNnDomn4xRXQTUDD8q86ZiKyMIj
    XM2VCmcHSajmMMRyjpydxfk6CIdDMtMGotCavRHD9Tl2tvwgrBock/v/54o02lkB
    SmLzVV7crlYJEuhgqu3Pz7qNRd8N0Un6c9sbwQ1BuM99QxzIzdAo89FSewy8MAIY
    rtab5F+oiTc5xGy8w7NARAfNgFXihqnLgWTtA35/oWuy86bje1IWbeyqj8ePM9Td
    0LdAw6kUU1PNimPttMDhcF7cuevntROksOgQPBPx5FJSqMiUZGrvju5O
    -----END CERTIFICATE-----
    quit

    INFO: Certificate successfully imported
    ciscoasa(config)#


Step 4: Define the Trustpoint that will supply the SSL certificate for the defined interface.

  1. In order to use the updated Trustpoint, you will need to run the following commands:

    ciscoasa(config)#ssl trust-point <Trustpoint name>.Trustpoint outside
    ciscoasa(config)#wr mem

    Building configuration...
    Cryptochecksum: 694687a1 f75042af ccc6addf 34d2cb08
    8808 bytes copied in 3.630 secs (2936 bytes/sec)
    [OK]
    ciscoasa(config)#


Step 5: Verify Certificate and Certificate Chain

  1. To verify your certificate chain to see all the certificates you have just installed, input the following command:

    ciscoasa(config)#show crypto ca certificates
     
  2. Verify your installation with the Symantec Installation Checker


Cisco

         For more information, refer to Cisco Support.
 

Disclaimer:

Terms of use for this information are found in Legal Notices

Contact Support

Find Answers