Run the ASDM Identity Certificate Wizard (ASDM 7.3 and Later)<\/h3>\n\n\n\n
ASDM 7.3 and later provides the ASDM Identity Certificate Wizard. The wizard makes configuring self-signed identity certificates easy.<\/p>\n\n\n\n
- \n
- When you first launch ASDM and do not have a trusted certificate, you are prompted to launch ASDM with Java Web Start; the certificate wizard then starts automatically.<\/li>\n\n\n\n
- If you start ASDM yourself using Java Web Start, then you can launch the wizard from the Wizards menu.<\/li>\n\n\n\n
- To generate the separate ASA FirePOWER module certificate, you must re-run the wizard to generate the additional certificate.<\/li>\n<\/ul>\n\n\n\n
Procedure<\/p>\n\n\n\n
1.<\/strong><\/a> Launch ASDM. Use an already installed ASDM Launcher, or connect to the ASA IP address with a browser (https:\/\/<\/strong> asa_ip_address<\/em> \/admin<\/strong>) to install a new Launcher. The Launcher prompts you to automatically start ASDM with Java Web Start for the purpose of running the certificate wizard.<\/p>\n\n\n\n
2.<\/strong><\/a> (If the wizard did not launch automatically) Choose Wizards > ASDM Identity Certificate Wizard<\/strong>.<\/p>\n\n\n\n
3.<\/strong><\/a> Complete the wizard. We recommend choosing the Simple Mode<\/strong> option.<\/p>\n\n\n\n
4.<\/strong><\/a> (ASA FirePOWER module) Re-run the wizard, and choose the SFR Module <\/strong>option.<\/p>\n\n\n\n
5.<\/strong><\/a> Quit ASDM.<\/p>\n\n\n\n
6.<\/strong><\/a> See Register the New Identity Certificate(s) with Java<\/a> to register both certificates.<\/p>\n\n\n\n
Register the New Identity Certificate(s) with Java<\/h3>\n\n\n\n
This procedure shows Java in Windows 7; your operating system may differ.<\/p>\n\n\n\n
Procedure<\/p>\n\n\n\n
1.<\/strong><\/a> On your computer, launch the Java Control Panel. On the Security<\/strong> tab, click Manage<\/strong> Certificates<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371534.tif\/_jcr_content\/renditions\/371534.jpg\")
<\/a><\/figure>\n\n\n\n2.<\/strong><\/a> From the Certificate type<\/strong> drop-down list, choose Secure Site<\/strong>, and click Import<\/strong>.<\/p>\n\n\n\n
Note: <\/strong>You must<\/em> choose the Secure Site <\/strong><\/a>option; other categories do not work.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371535.tif\/_jcr_content\/renditions\/371535.jpg\")
<\/a><\/figure>\n\n\n\n3.<\/strong><\/a> Choose the ASA certificate you earlier exported from ASDM.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371536.tif\/_jcr_content\/renditions\/371536.jpg\")
<\/a><\/figure>\n\n\n\n![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371537.tif\/_jcr_content\/renditions\/371537.jpg\")
<\/a><\/figure>\n\n\n\n4.<\/strong><\/a> (ASA FirePOWER module) Click Import<\/strong> again, and choose the module certificate that you earlier exported from ASDM.<\/p>\n\n\n\n
5.<\/strong><\/a> Click Close<\/strong>.<\/p>\n\n\n\n
6.<\/strong><\/a> You can now use the ASDM Launcher.<\/p>\n\n\n\n
(ASDM 7.2 and Earlier) Manually Configure the ASA for an Identity Certificate<\/h4>\n\n\n\n
Complete all of the following procedures.<\/p>\n\n\n\n
Create the Identity Certificate<\/h5>\n\n\n\n
Procedure<\/p>\n\n\n\n
1.<\/strong><\/a> In a browser, connect to the ASA (https:\/\/<\/strong> asa_ip_address<\/em> \/admin<\/strong>) and launch ASDM by clicking Run ASDM<\/strong>.<\/p>\n\n\n\n
2.<\/strong><\/a> Choose Configuration > Device Management > Certificate Management > Identity Certificates<\/strong>, and click Add<\/strong>.<\/p>\n\n\n\n
3.<\/strong><\/a> Click the Add a new identity certificate<\/strong> radio button, and click Select<\/strong> for the Certificate Subject DN<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371527.tif\/_jcr_content\/renditions\/371527.jpg\")
<\/a><\/figure>\n\n\n\n4.<\/strong><\/a> From the Attribute<\/strong> drop-down list, choose Common Name (CN)<\/strong>, enter the ASA IP address for theValue<\/strong>, click Add<\/strong>, and then click OK<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371528.tif\/_jcr_content\/renditions\/371528.jpg\")
<\/a><\/figure>\n\n\n\n5.<\/strong><\/a> Check the Generate self-signed certificate<\/strong> check box and click Add Certificate<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371529.tif\/_jcr_content\/renditions\/371529.jpg\")
<\/a><\/figure>\n\n\n\n6.<\/strong><\/a> Click Apply<\/strong>.<\/p>\n\n\n\n
Export the New Certificate<\/h5>\n\n\n\n
Procedure<\/p>\n\n\n\n
1.<\/strong><\/a> Select the certificate, and click Export<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371530.tif\/_jcr_content\/renditions\/371530.jpg\")
<\/a><\/figure>\n\n\n\n2.<\/strong><\/a> Click Browse<\/strong> to choose a save location and name the certificate with the.csr extension (the Java Control Panel expects a.csr extension, so you can save yourself a step by using.csr even though this certificate is a CER file).<\/p>\n\n\n\n
3.<\/strong><\/a> Click the PEM Format (Certificate Only)<\/strong> radio button, and then click Export Certificate<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371531.tif\/_jcr_content\/renditions\/371531.jpg\")
<\/a><\/figure>\n\n\n\nSet the Certificate to Be Used with SSL<\/h5>\n\n\n\n
Procedure<\/p>\n\n\n\n
1.<\/strong><\/a> Choose Device Management > Advanced > SSL Settings<\/strong>. In the Certificates<\/strong> area, select the management interface entry, and click Edit<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371532.tif\/_jcr_content\/renditions\/371532.jpg\")
<\/a><\/figure>\n\n\n\n2.<\/strong><\/a> From the Primary Enrolled Certificate<\/strong> drop-down list, choose the newly-created certificate with the CN value of the ASA IP address, and click OK<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/300001-400000\/370001-380000\/371001-372000\/371533.tif\/_jcr_content\/renditions\/371533.jpg\")
<\/a><\/figure>\n\n\n\n3.<\/strong><\/a> Click Apply<\/strong>.<\/p>\n\n\n\n
![\"\"\/](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/templates\/blank.gif\")
<\/a><\/figure>\n\n\n\n