Tag Archives: AnyConnect

Self Signed Certificate for WebVPN on ASA

We will configure self signed certificate on Cisco ASA for AnyConnect (WebVPN).

1.Generate an RSA key for the certificate. The name should be unique. For example, sslvpnkeypair.

ASA-1(config)#crypto key generate rsa label sslvpnkeypair modulus 1024
INFO: The name for the keys will be: sslvpnkeypair
Keypair generation process begin. Please wait…

2. Create a trustpoint for the self-issued certificate.

ASA-1(config)#crypto ca trustpoint self

3. The fully qualified domain name is used for both fqdn and CN. The name should resolve to the ASA outside interface IP address.

ASA-1(config-ca-trustpoint)#enrollment self
ASA-1(config-ca-trustpoint)#fqdn vpn.amolak.net
ASA-1(config-ca-trustpoint)#subject-name CN=vpn.amolak.net

4. The RSA key is assigned to the trustpoint for certificate creation.

ASA-1(config-ca-trustpoint)#keypair sslvpnkeypair

5. Assign the trustpoint to be used for SSL connections on the outside interface.

ASA-1(config-ca-trustpoint)#crypto ca enroll self noconfirm
% The fully-qualified domain name in the certificate will be: vpn.amolak.net
ASA-1(config)# ssl trust-point self outside

Final Configuration:

crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint self
 enrollment self
 fqdn vpn.amolak.net
 subject-name CN=vpn.amolak.net
 keypair sslvpnkeypair
!
crypto ca enroll self noconfirm
!
ssl trust-point self outside