Cisco ASA Anyconnect Self Signed Certificate

By default the Cisco ASA firewall has a self signed certificate that is regenerated every time you reboot it. This can be an issue when you are using SSL VPN as the web browser of your user will give a warning every time it sees an untrusted certificate. In another lesson where I explained how to configure anyconnect remote access VPN you can see these errors when the remote users connects to the ASA. To fix this problem we have two options:

  • Purchase and install an SSL certificate on the ASA from a trusted CA.
  • Generate a self signed SSL certificate on the ASA and export it to your user’s computer.

The first option is the best one, you buy an SSL certificate from a provider like Verisign, Entrust, Godaddy, etc. and install it on the ASA. Web browsers have a lot of pre-installed root CA certificates from these providers so when you get a SSL certificate from them, your browser will show them as trusted. This is great because you don’t have to do anything on the user’s computer.

If you don’t want to buy a SSL certificate then we can use the second option. We will generate a SSL certificate on the ASA and self-sign it. This certificate is permanent so it doesn’t dissapear when you reboot the ASA, the problem however is that you have to export and import this certificate on each of your remote users’ computers.

That’s what we will do in this lesson…we will generate the SSL certificate, self-sign it and then export and import it on a remote user’s computer. This is the topology I will use:

ASA1 outside remote ssl vpn user

The ASA is connected to a remote user on its outside interface. The user’s computer will run Windows 7. Let’s get started shall we?

ASA Configuration

There are a number of requirements when we work with certificates. First of all we need to configure the correct time, date, assign a hostname and domain name:

ciscoasa(config)# clock set 13:48:00 10 Dec 2014

The clock command will work but using NTP to keep your time synchronized would be better. Let’s configure a hostname:

ciscoasa(config)# hostname ASA1

I’ll call my device “ASA1”. Now we configure a domain name:

ASA1(config)# domain-name NETWORKLESSONS.LOCAL

The domain name will be “NETWORKLESSONS.LOCAL”.

The FQDN (Fully Qualified Domain Name) of the ASA is now ASA1.NETWORKLESSONS.LOCAL. When a remote user opens the web browser they need to use the FQDN to reach the ASA. If you use the IP address you will still get a certificate error!

In PKI (Public Key Infrastructure) we need to have keys…a public and private key. When we generate a RSA key it will automatically generate these two keys. The public key can be shared with anyone and is used to encrypt or sign messages. Here’s how to generate the keys:

ASA1(config)# crypto key generate rsa label MY_RSA_KEY modulus 1024
INFO: The name for the keys will be: MY_RSA_KEY
Keypair generation process begin. Please wait...

The key pair is called “MY_RSA_KEY”. You can see them here:

ASA1(config)# show crypto key mypubkey rsa | begin MY_RSA_KEY
Key name: MY_RSA_KEY
 Usage: General Purpose Key
 Modulus Size (bits): 1024
 Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00ac99a2 
  2fc2907a 1e86ddf4 503dc102 72611d80 77ed5762 a857b297 ee609520 469c2dbe 
  f50c5ce1 ac39cba1 998f9504 93f8bfbd ddfaadf7 0cc1f322 f20a24b0 db7fd9e5 
  61a024d1 9f6f5380 562e7848 017e0f88 167732c5 aef50f80 e6431420 0745b9f4 
  9217f9df 31ca5a2f 05fe6af6 efb388d4 24a22355 7112458f c20f022f 7f020301 

We now have to create a “trustpoint”. The trustpoint is a container where certificates are stored. This is where we configure parameters like the FQDN, subject name, keypair, etc:

ASA1(config)# crypto ca trustpoint SELF_TRUSTPOINT
ASA1(config-ca-trustpoint)# enrollment self
ASA1(config-ca-trustpoint)# fqdn ASA1.NETWORKLESSONS.LOCAL
ASA1(config-ca-trustpoint)# subject-name CN=ASA1.NETWORKLESSONS.LOCAL
ASA1(config-ca-trustpoint)# keypair MY_RSA_KEY

The trustpoint is called “SELF_TRUSTPOINT” and the enrollment self command means that the ASA will sign its own certificates. The certificate will be assigned to ASA1.NETWORKLESSONS.LOCAL. We will use the RSA keypair that we just generated. We can now enroll the actual certificate:

ASA1(config)# crypto ca enroll SELF_TRUSTPOINT

% The fully-qualified domain name in the certificate will be: ASA1.NETWORKLESSONS.LOCAL

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes

The certificate is now enrolled. We can see it here:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

507 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , , , ,

Forum Replies

  1. Hi

    I have ASA 5520 VPN Plus license with latest IOS disk0:/asa917-k8.bin

    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 150            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 20             perpetual
    ... Continue reading in our forum

  2. Hi

    I tested today AnyConnect VPN Client Software-4.2.01035 with my ASA and glad it works perfectly with Rene article.

    Rene, your ASA articles are amazing which so far I am testing, just a quick note, if you can add NAT statements also related to the configuration that will be great or if you add a Note that particular configuration require NAT changes as well.
    e.g. to make the Split Tunnel work we need a deny statement in NAT so it will be helpful.

    Thanks and amazing work, everything work for me like a charm.

    Stay blessed

  3. Hi Richard,

    The VPN traffic does terminate on the outside interface. Usually we use the sysopt connection permit-vpn command to permit IPsec traffic to bypass any access-list. If you don’t use it, then you’ll need to explicitly permit your IPsec traffic to the inside.

    It could be an issue on your ASA but have you also checked your router has a route back to the ASA?


  4. Hi Rene,

    Congrats, very clear tutorial. What about the NAT rule to keep untranslated the traffic between internal subnets and remote VPN hosts ? Is not it needed ?

    Please advise.

    Thank you.

  5. Hi Alessandro,

    Glad to hear you like it! You will need a NAT rule to keep traffic between remote VPN users and inside hosts untranslated. You can find the config for it in this reply:

    Cisco ASA NAT untranslate


46 more replies! Ask a question or join the discussion by visiting our Community Forum