Cisco AnyConnect SSL/TLS Trustpoint

I wanted to put together a quick tutorial for setting up a Cisco ASA – AnyConnect with SSL/TLS. I’ve done it a few times and I always have to re-lookup each step and the order in which to do it, so why not make a quick post about it to remember!

Optional: Destroy Current Trustpoint

You will have to destroy or clear out the current trustpoint if it already exists. This must be done if you are going to re-generate the key, which is best practice when renewing a Certificate due to expiration or one that has been compromised.

asa01(conf)# no crypto ca trustpoint oldtrustpoint.trustpoint
  • It will warn you that it will destroy any certificates within the trustpoint.
Generate a Key

Here we start with the generation of our key, using 2048 bits. the key name can be anything you want, but I like call it by the service I will be putting it on, for my case for this tutorial is accessthejimmahknowscom.key

asa01(conf)# crypto key generate rsa label accessthejimmahknowscom.key modulus 2048
Setting up the trustpoint locale and generate a CSR for submission

    First we need to set up a trustpoint object, with our locale properties, etc

asa01(conf)# crypto ca trustpoint newtrustpoint.trustpoint
asa01(config-ca-trustpoint)# subject-name,O=thejimmahknows,C=US,St=Connecticut,L=Wethersfield
asa01(config-ca-trustpoint)# keypair accessthejimmahknowscom.key
asa01(config-ca-trustpoint)# fqdn
asa01(config-ca-trustpoint)# enrollment terminal
asa01(config-ca-trustpoint)# exit
  • newtrustpoint.trustpoint — The name I gave to this trustpoint which will tie everything together.
  • subject-name This command holds the distinguished name of the Certificate’s profile, see RFC3039
  • keypair — This is what key to pair the trustpoint with, we generated this in the previous step.
  • fqdn — This is the main FQDN of our service that will use the trustpoint
  • enrolment terminal — This tells the Cisco ASA to output the CSR (which we will create in the next step) to the terminal screen. Otherwise you will have to SFTP to the ASA and download it.

Invoke the Cisco ASA to generate a CSR based on our locale and key from the previous step
asa01(conf)# crypto ca enroll accessthejimmahknowscom.trustpoint
  • Answer no to include the device serial number in the subject name, unless your 3rd-party Certificate Authority requires it.
  • Answer ‘yes’ to display the Certificate Request in the Terminal (makes things easier for submission)
  • Copy this Certificate Signing Request (CSR) and paste it into your 3rd-party Certificate Authority to obtain a valid signed Certificate
Importing your 3rd-Party’s Chain

Cisco calls this next step of importing your Certificate Authority’s chain certificates as authenticating…I dunno. But we’ll go with it.

asa01(conf)# crypto ca authenticate newtrustpoint.trustpoint
asa01(conf)# {paste in Certificate Authority certificate}
  • Follow the prompts to successfully import the Certificate Authority’s certificate chain
Importing your User Certificate (Hint: you got this from your 3rd-Party CA)
asa01(conf)# crypto ca import newtrustpoint.trustpoint certificate
  • You will be prompted to paste in the certificate, do so.
  • You can either choose…
    • certificate — for a PEM-base64 certificate
    • pkcs12 — for a binary certificate type.
Lastly, configure the ASA to use the trustpoint for a service. (Mine is for AnyConnect)
asa01(conf)# ssl trust-point accessthejimmahknowscom.trustpoint outside
  • Here we active this trustpoint on our outside interface.
Useful commands:
  • show crypto ca certificates — Shows certificates successfully loaded on the Cisco ASA
  • show crypto ca trustpoint — Shows trustpoints installed on the Cisco ASA