You no longer need to continue using self signed certs as StartSSL offer them for free. If you need to replace or install a cert for the first time to use with an SSL VPN then this is how to achieve it using the CLI.
Update Feb 2017:
Okay so Wosign bought and royally cocked up StartSSL so they are a dead duck in the cert authority space. However there is a free alternative called Let’s Encrypt. They work great and support the ACME protocol for automatic cert renewal on servers but of course some devices will never support automatic renewal. The one small downside is the certificates are valid for 90 days only, however considering the price it’s a small price to pay. I’ve used the great zerossl.com to get certs for non ACME supporting clients such as the ASA.
First thing you need to ensure is your clock is set correctly. Set the clock/timezone and also define some NTP servers to ensure the firewall keeps its time correctly.
Generate the CSR
The next stage is the CSR or certificate signing request. I think it keeps things simple to use a .key version of the domain name that you are using for the label name.
If you are replacing an existing certificate, you don’t need to generate a new key but of course you can. You will though need to clear the trustpoint and configure again from scratch:
ASA(config)# no crypto ca trustpoint <Your domain name>
The full steps required are as follows:
ASA(config)# crypto key generate rsa label <Your domain name key> modulus 2048 ASA(config)# crypto ca trustpoint <Your trustpoint name> ASA(config-ca-trustpoint)# subject-name CN=<Your domain name>, OU=<Organization Unit>, O=<Organization Name>, C=<Country (GB)>, St=<Your State>, L=<Your City> ASA(config-ca-trustpoint)# keypair <Your generated key> ASA(config-ca-trustpoint)# fqdn <The associated fqdn> ASA(config-ca-trustpoint)# enrollment terminal ASA(config-ca-trustpoint)# exit ASA(config)# crypto ca enroll <Your configured trustpoint name> Question Prompt – Include the device serial number in the subject name? [yes/no]: NO Question Prompt – Display Certificate Request to terminal? [yes/no]: YES
Notes: After answering YES the CLI will output the CSR. You need to copy the CSR so you can submit it to your Certificate Authority.
Redisplay enrollment request? [yes/no]: NO
Submit your CSR to your Certificate Authority
Under the StartSSL management portal, create a new Webserver SSL/TLS certificate using the generated CSR. Once you download the zip file which contains the certificates in various formats, open the “OtherServer.zip” file and you will find an Intermediate, root and host certificate. You will need to open the Intermediate and host certificates using a text editor but I always use the fantastic Notepad++.
Use your preferred cert providers tools to request a valid certificate. The suggested zerossl.com is very straight forward and allows you to use DNS for verification of the domain.
Install the Certificates on the ASA
First step is to install the ca cert which from zerossl.com is the second cert in the chain.
ASA(config)# crypto ca authenticate <Your trustpoint name>
You will then get a prompt: “Enter the base 64 encoded CA certificate. End with the word “quit” on a line by itself” Copy the intermediate Certificate and passte into the CLI, go to the next line and type quit and press enter. You will then get another prompt asking you:
Do you accept this certificate? [yes/no]: yes
After accepting you will get a response to say the certificate import was successful.
Second step is to install the host certificate. From zerossl.com is the first cert in the chain.
ASA(config)# crypto ca import certificate
You will then get another prompt:
”Enter the base 64 encoded CA certificate. End with the word “quit” on a line by itself”
Copy the host certificate and paste into the CLI.
Tell WebVPN to use the new certificate
ASA(config)# ssl trust-point <Your trustpoint name> outside
You can use the following command to to verify the certificates installed correctly:
ASA# show crypto ca certificates
There is also a great tool on the following website where you can test your SSL installation:
Of course don’t forget to save your config.
Another great post on the subject: