Install and Configure an SSL Certificate on a Cisco ASA 5510 or 5512x for AnyConnect VPN

21. January 2014 Cisco ASA 1

Since Cisco no longer is supporting the Cisco VPN IPSEC client.   Moving forward with the AnyConnect VPN causes some additional purchases to be made.  Once you have AnyConnect working, your users get to see the great “Certificate Invalid” error.  You can solve that by adding a cheap SSL Certificate at GoDaddy.com.

I’ve tested this on an ASA 5510 and about to apply it to a 5512x, I don’t see any difference so far.

It seems easier to install and configure the certificate using the Cisco ASDM.

1st, have the person that handles your Public DNS records create an A RECORD in your public DNS zone file and point it to the Public IP Address of your ASA.  We used “vpn.mysite.com”

Login to the ASA via the ASDM.
Go to: CONFIGURATION > DEVICE MANAGEMENT > CERTIFICATE MANAGEMENT > IDENTITY CERTIFICATES
Click ADD
Click the radio button and ADD a new identity certificate
Click NEW… Enter a new key pair (name it whatever you want)– and make it 2048 bit
In the Certificate Subject DN, Add the CN (vpn.mysite.com), the OU, the O, the C, the St, and the L as appropriate
Click on the advanced button and make sure the FQDN is the same as the CN you entered before (vpn.mysite.com)
Now click on Add Certificate
Browse on your PC to where you want to save your CSR so you can find it again.  Name it whatever you wish..

Go to Godaddy.com and purchase your certificate.  At the time of this post, cost was $69/year
Download the certificate using the “other” category.  This way you can get the CA cert and intermediary along with your identity certificate.

Log into your ADSM
Select CONFIGURATION > DEVICE MANAGEMENT > CERTIFICATE MANAGEMENT  > CA CERTIFICATES
Click Add, select the gd_bundle.crt
Then select IDENTITY CERTIFICATES
Click on your CSR Request and click the Install button
Select your SITENAME.crt

Now we need to apply these certificates to the SSL Site!
Select CONFIGURATION > DEVICE MANAGEMENT > CERTIFICATE MANAGEMENT
Expand Advanced
Select SSL Settings
Click on the interface where your SSLVPN terminates (in my case it was outside)
Edit this interface
Select the Primary Enrolled Certificate and Load Balancing Enrolled Certificate (if applicable)
Apply the settings

That should be all.  Your SSL Certificate should be valid.
If everything was a success.  Don’t forget to save your configuration.


1 thought on “Install and Configure an SSL Certificate on a Cisco ASA 5510 or 5512x for AnyConnect VPN”

  • 1
    Tom on January 30, 2014 Reply

    ** UPDATE **
    Some of the steps in instruction above in the ASDM are just slightly different. But for the most part, this instruction works. We just followed it again today and set up another… Have fun!

Leave a Reply