Generate a self-signed SSL Certificate for Cisco ASA 5505

Post by: Kurt-Erik Karlsen    Date: 12/05/2009    Category: Network infrastructure

Here’s a quick guide on how you can generate a self-signed SSL Certificate for your Cisco ASA 5505

If you do not currently own a Certificate, you may create yourself a self-signed certificate for use with SSL-VPN. The problem is if you run the SSL-VPN wizard and configure your ASA for Anyconnect or SSL-VPN via web-browser, the ASA only creates a temporarily certificate for use. If your ASA is rebooted even though you have saved all settings, the ASA will generate a new certificate.

Normally this will not be a problem, but if you use the SSL-VPN with Citrix published applications, you’ll have to install the the certificate to “Trusted Root Certificate Authorities” each time the ASA has generate a new certificate during reboot


Do the following to create a self-signed certificate for you ASA:


corpasa(config)#crypto key generate rsa label sslvpnkey
corpasa(config)#crypto ca trustpoint localtrust
corpasa(config-ca-trustpoint)#enrollment self
corpasa(config-ca-trustpoint)#fqdn sslvpn.
corpasa(config-ca-trustpoint)#keypair sslvpnkey
corpasa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm
corpasa(config)# ssl trust-point localtrust outside

Alternative you can purchase a certificate through a vendor such as VeriSign, GoDaddy etc..

Written by

4 Comments to “Generate a self-signed SSL Certificate for Cisco ASA 5505”

  1. Saurooon says:

    Thank you! I would now go on this blog every day!

  2. dhuff says:

    Very nice job!! Your example is complete and concise.

  3. Craig Neeld says:

    Will I be able to use this self-signed cert for mobile phones connectiong to my ASA as opposed to a Verisign cert? I have Cisco’s CUMA product in mind here, we’re setting it up in the lab and see little point in forking out for expensive certs.

  4. Paul says:

    I noticed about this temporary certificate once my ASA was rebooted! Is there any way we can reload the previous certificate and make it permanent? We have a lot of IP phones connecting through VPN and they have the old certificate already loaded on them. We want to hesitate to recall them to site and download the new cert on them.Please advise.

Leave a Reply