Install SSL Certificate onto CISCO ASA 5520

Solution ID:    SO5089
Version:    7.0
Published:    12/13/2007
Updated:    03/14/2012


This procedure provides steps for configuring certificates using manual certificate requests. These steps should be repeated for each trustpoint you configure for manual enrollment. When you have completed this procedure, the security appliance will have received a CA certificate for the trustpoint and one or two certificates for signing and encryption purposes. If you use general-purpose RSA keys, the certificate received is for signing and encryption. If you use separate RSA keys for signing and encryption, the certificates received are used for each purpose exclusively.


 To install a certificate into a Cisco ASA 5520 device, perform the following steps:
1. Download the Thawte Intermediate CA for SSL certificates: AR1384
2. Import the CA certificate.
To do so, use the crypto ca authenticate command. The following example shows a CA certificate request for the trustpoint Main: 
hostname (config)# crypto ca authenticate Main 
Enter the base 64 encoded CA certificate. 
End with a blank line or the word "quit" on a line by itself 
[ certificate data omitted ] 
INFO: Certificate has the following attributes:  Fingerprint: 24b81433 409b3fd5 e5431699 8d490d34 
Do you accept this certificate? [yes/no]: y 
Trustpoint CA certificate accepted. 
% Certificate successfully imported 
hostname (config)# 
3. Generate a certificate request.
To do so, use the crypto ca enroll command. The following example shows a certificate and encryption key request for the trustpoint Main, which is configured to use manual enrollment and general-purpose RSA keys for signing and encryption: 
hostname (config)# crypto ca enroll Main 
% Start certificate enrollment . 
% The fully-qualified domain name in the certificate will be: 
% Include the device serial number in the subject name? [yes/no]: n 
Display Certificate Request to terminal? [yes/no]: y 
Certificate Request follows:
[ certificate request data omitted ] 
---End - This line not part of the certificate request--- 
Redisplay enrollment request? [yes/no]: n
hostname (config)#
4. For each request generated by the crypto ca enroll command, obtain a certificate from the CA represented by the applicable trustpoint. Be sure the certificate is in base-64 format.
5. For each certificate you receive from the CA, use the crypto ca import certificate command. The security appliance prompts you to paste the certificate to the terminal in base-64 format.
6. Verify that the enrollment process was successful using the show crypto ca certificate command. For example, to show the certificate received from trustpoint Main:
hostname/contexta(config)# show crypto ca certificate Main
The output of this command shows the details of the certificate issued for the security appliance and the CA certificate for the trustpoint. 
7. Save the configuration using the write memory command: hostname/contexta(config)# write memory
If you use separate RSA keys for signing and encryption, the crypto ca enroll command displays two certificate requests, one for each key. To complete enrollment, acquire a certificate for all certificate requests generated by the crypto ca enroll command.
If you use separate RSA key pairs for signing and encryption, perform this step for each certificate separately. The security appliance determines automatically whether the certificate is for the signing or encryption key pair. The order in which you import the two certificates is irrelevant.
The following example manually imports a certificate for the trustpoint Main:
hostname (config)# crypto ca import Main certificate
% The fully-qualified domain name in the certificate will be:
Enter the base 64 encoded certificate.
End with a blank line or the word "quit"on a line by itself
[ certificate data omitted ]
INFO: Certificate successfully imported
hostname (config)#

Please ensure that you generated a Trustpoint before you install your certificate: SO5088

Legacy ID



Thawte has made efforts to ensure the accuracy and completeness of the information in this document. However, Thawte makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. Thawte assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, Thawte assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Thawte reserves the right to make changes to any information herein without further notice.  

Knowledge Center

Search Tips