Техническая Инструкция для Cisco Cisco ASA 5520 Adaptive Security Appliance
CSR Generation
This is the first step in the lifecycle of any X.509 digital certificate. Once the private/public Rivest-
Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated
(
Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated
(
Appendix A
details the difference between the use of RSA or ECDSA), a Certficate Signing
Request (CSR) is created. A CSR is basically a PKCS10 formatted message that contains the
public key and identity information of the requesting host.
public key and identity information of the requesting host.
explains the different
certificate formats applicable to the ASA and Cisco IOS
®
.
Notes:
1. Check with the CA on the required keypair size. The CA/Browser Forum has
mandated that all certificates generated by their member CAs have a minimum size of 2048
bits.
2. ASA currently does not support 4096 bit keys (Cisco bug ID
1. Check with the CA on the required keypair size. The CA/Browser Forum has
mandated that all certificates generated by their member CAs have a minimum size of 2048
bits.
2. ASA currently does not support 4096 bit keys (Cisco bug ID
authentication. However, IKEv2 does support the use of 4096 bit server certificates on the
ASA 5580, 5585, and 5500-X platforms alone.
3. Use the DNS Name of the ASA in the FQDN field of the CSR in order to prevent Untrusted
Certificate warnings and pass Strict Certificate check.
ASA 5580, 5585, and 5500-X platforms alone.
3. Use the DNS Name of the ASA in the FQDN field of the CSR in order to prevent Untrusted
Certificate warnings and pass Strict Certificate check.
You can generate CSR with either of these three methods:
1. Configure with the ASDM
Navigate to Configuration > Remote Access VPN > Certificate Management, and choose
Identity Certificates.
Identity Certificates.
1.
Click Add.
2.