Adding an SSL Certificate on an ASA

| Comments

This tutorial is to show you how to install a HTTPS/SSL certificate on an ASA. This is often used when WebVPN or AnyConnect is configured which uses SSL. Without a certificate installed the users is given warnings and errors about a missing or invalid certificate.

This has nothing to do with authentication. It’s simply the https certificate which is needed for a secure communication to be set up.

Suppose you are working for a place called and they want to set up their ASA to allows users to VPN into the network. To access the VPN you can either use IPSec or SSL. Suppose their choice was SSL and they want the URL of the ASA to be This tutorial will help set the HTTPS certificate for that URL.

It is easier for me to use ASDM when dealing with certificates so this tutorial uses ASDM exclusively.

Step 1 - Create an Identity Certificate

Under Configuration –> Device Management –> Certificate Management –> Identity Certificates

Click Add.

Give the Trustpoint a Name.

Choose “Add” a new identity certificate

Choose the key pair to use for encryption.

Click “Select” for the certificate subject DN. In this section it is important to make the CN = the URL of the ASA that this certificate will be serving. It doesn’t need to have any trailing slashes. So if the URL is “” you can simply make the CN “”.

Click “advanced”.

Fill in the FQDN field. This should be exactly the same as CN.

Click Add certificate.

Step 2 - Send the certificate to the CA

After completing step 1 you will be presented with the option of saving your certificate.

Send this certificate to the CA such as Symantec or Verisign. They will then process it and send you back your public certificate

Step 3 - Installing your certificate

Go back to the ASDM: Configuration –> Device Management –> Certificate Management –> Identity Certificates

Click the certificate you made earlier. Then click Install.

Paste in the certificate the CA sent you. Paste in everything including the BEGIN CERTIFICATE and END CERTIFICATE portions but make sure there are no trailing spaces or carriage returns. You do not need any of the intermediate keys, simply the public cert.

Step 4 - Enabling your certificate on an interface

Go to Configuration –> Remote Access VPN –> Network (client) access –> AnyConnect Connection Profiles

Click Device Certificate

Choose the certificate you installed as the one to use for when users HTTPS to this device.

That’s it! Test the functionality by going to the URL of your ASA by using HTTPS.

Scripts, asa, ca, certificate, cisco