Install SSL certificate on Palo Alto Networks or Cisco ASA Firewalls


Firewalls require SSL certificates in one of the following scenarios:

  • Secure management WebGUI access
  • Provide SSL-based remote VPN
  • Perform peer authentication to establish Site-To-Site VPN tunnels

Administrator’s tasks include obtaining a certificate either through public or enterprise Certificate Authority, certificate renewal and ensuring that the private key is safe and backed up.

This article describes basic concepts of a SSL certificate and step-by-step instruction on how to obtain SSL certificate, back it up and restore if the device fail.

Diagram below shows steps required to obtain a SSL certificate.

Installation process starts with generation of a key pair.

What is a private and public key?

Asymmetric cryptography algorithm, in contrast to symmetric one, requires two different keys to encrypt and decrypt a message. Private key should be kept in secret and public one can be freely distributed.

Public key is derived using mathematical function from private key. Together they form a key pair.

Two algorithms supported by both ASA and Palo Alto firewalls are RSA (mature) and ECDSA (Elliptic Curve, more efficient).

Step 1. Generate a key pair

ASA firewall using ASDM

The process of generating a key pair on ASA in ASDM is initiated via Identity Certificate menu. Navigate to Configuration > Device Management > Certificate Management > Identity Certificates and press Add button.

As shown in the screenshot above, a key pair named <Default-RSA-Key> is selected by default. Press New button next to Key Pair name to create either RSA or ECDSA key. See the figure below with RSA new key pair being created..

ASA firewall using CLI

Select algorithm to use:

ASA01(config)# crypto key generate ?
configure mode commands/options:
   ecdsa  Generate ECDSA keys
   rsa    Generate RSA keys

Example of RSA keys generation:

ASA01(config)# crypto key generate rsa ?
configure mode commands/options:
   general-keys  Generate a general purpose RSA key pair for signing and
   label         Provide a label
   modulus       Provide number of modulus bits on the command line
   noconfirm     Specify this keyword to suppress all interactive prompting.
   usage-keys    Generate separate RSA key pairs for signing and encryption
 ASA01(config)# crypto key generate rsa general-keys label TFKeyPair modulus ?
 configure mode commands/options:
   1024  1024 bits
   2048  2048 bits
   4096  4096 bits
   512   512 bits
   768   768 bits
 ASA01(config)# crypto key generate rsa general-keys label TFKeyPair modulus 2048
 INFO: The name for the keys will be: TFKeyPair
 Keypair generation process begin. Please wait…

Example of ECDSA keys generation:

ASA01(config)# crypto key generate ecdsa label TFKeyPair-ECDSA ?
configure mode commands/options:
   elliptic-curve  Choose the Elliptic Curve
   noconfirm       Specify this keyword to suppress all interactive prompting.
 ASA01(config)# crypto key generate ecdsa label TFKeyPair-ECDSA elliptic-curve ?
 configure mode commands/options:
   256  256 bits
   384  384 bits
   521  521 bits
 ASA01(config)# crypto key generate ecdsa label TFKeyPair-ECDSA elliptic-curve 521                      
 INFO: The name for the keys will be: TFKeyPair-ECDSA
 Keypair generation process begin. Please wait…

Use this command to display list of keypairs. To extract private key, you will need to export it together with identity certificate in PKCS#12 format (this will be demonstrated in Step 5):

ASA01# show crypto key mypubkey rsa 
Key pair was generated at: 12:17:57 GMT Jun 18 2019.
 Key name: TFKeyPair
  Usage: General Purpose Key
  Modulus Size (bits): 2048
  Storage: config
  Key Data:
 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 
   00d76663 f541db49 3a7c96bc ee5c8266 f411a0c4 65327846 ed2c5c61 89b04576 
   5a306d0e ec18e3d4 b8545961 50d8bdb8 e58a76a3 9acf028f 82f9c8e6 78d42389 
   ef0ba0a4 a0c71881 fdb300b9 dd4d0bd2 2b884403 4998839f 70fc79de fbcf5b37 
   446a68fc 6012b986 4d4a690b 20684231 fd388c6c 1619bac9 1aedba9f a1602dea 
   56907c8b 887477c5 e3e9e590 6f5f429f 15ece9f4 cf64d98b d94ad783 7d5fac83 
   e58bfd7c ee43894a 8d7b6730 092dff7e 35bda58a 9e606d26 456079ee b6348dcc 
   70a0f535 5033f1e1 889f52ae 56d126d2 64335ec4 625cddea 4103b8ca 5c8aa0e5 
   1c086062 a764f63c d011a2a5 e07ab69c af03ee5e a90c10dc cb125f95 030a870e 
   f1020301 0001

Palo Alto Firewall

Key pair in Palo Alto firewall cannot be generated without creating a CSR, so it will be covered as part of the Step 2.

Step 2. Create a CSR

What is PKCS?

Public-Key Cryptography Standards are published by RSA Labs. Some of these standards are around cryptography implementation and some define formats of the message containers, for example:

  • PKCS#7 – is container for certificates used to distribute certificates
  • PKCS#10 – defines how CSR must be formatted
  • PKCS#12 – contains certificate, private key and CA certificate. It is used to backup and move identity certificates between systems. To secure private key PKCS#12 requires password protection.

ASA firewall using ASDM

What is Trustpoint in ASA?

Trustpoints is a certificate in ASA’s terminology. It can represent identity certificate, in which case it will have corresponding private key. Or it can be CA’s certificate.

After completing Step 1 in ASDM, type-in locally significant Trustpoint name, as shown in the figure below.

Instead of typing Certificate Subject DN, press Select button and add required attributes. See the screenshot below with the number of attributes filled-in.

Press OK to close the window and then Add Certificate button. Press Advanced button and type-in FQDN to match common name. By default, it will be set-up to the actual hostname of the firewall, which may or not may not be URL your users trying to use when reaching SSL VPN or management interface of the firewall.

If it differs from common name, the FQDN will be added as Subject Alternative Name (SAN) of the certificate.

Pop-up window will be shown prompting for a location to save CSR request. This file will be used later to send request to CA.

It is a ASCII (Base64) encoded as shown in the screenshot below:

The certificate is now in pending state waiting for CA to approve and sign it.

ASA firewall using CLI

The following configuration achieves the same result as ASDM-based configuration.

ASA01(config)# crypto ca trustpoint TF-TrustPoint
ASA01(config-ca-trustpoint)#  enrollment terminal
 ASA01(config-ca-trustpoint)#  fqdn
 ASA01(config-ca-trustpoint)#  subject-name,C=US,St=California,L=San Francisco
 ASA01(config-ca-trustpoint)#  keypair TFKeyPair
 ASA01(config-ca-trustpoint)# crl configure
 ASA01(config-ca-crl)# exit

To display CSR in the console window see example in the listing below.

ASA01(config)# crypto ca enroll TF-TrustPoint 
WARNING: The certificate enrollment is configured with an fqdn
 that differs from the system fqdn. If this certificate will be
 used for VPN authentication this may cause connection problems.
 Would you like to continue with this enrollment? [yes/no]: yes
 % Start certificate enrollment .. 
 % The subject name in the certificate will be:,C=US,St=California,L=San Francisco
 % The fully-qualified domain name in the certificate will be:
 % Include the device serial number in the subject name? [yes/no]: no
 Display Certificate Request to terminal? [yes/no]: yes
 Certificate Request follows:

Palo Alto Firewall using WebGUI

Log-in into WebGUI and click on the Device tab. Then select Certificate Management > Certificates menu on the left. Then click Generate button located on the bottom menu.

Configuration menu is shown below and has familiar options, such as certificate common name and cryptographic settings for key pair, such as RSA or ECDSA.

PAN-OS WebGUI doesn’t provide option to separately generate a key pair.

Press Generate button and certificate will appear in the list. Notice that Key checkbox is selected, as we have private key corresponding to this certificate. To export CSR click on the certificate and then press Export Certificate button (yes, it exports CSR for not issued certificates).

Palo Alto Firewall using CLI

See the listing below with the command required to generate CSR.

admin@PA> request certificate generate 
 ca                   Make this a signing certificate
 country-code         Country code
 days-till-expiry     Number of days till expiry
 digest               Digest Algorithm
 email                Email address of the contact person
 filename             file name for the certificate
 locality             Locality
 ocsp-responder-url   ocsp-responder-url 
 organization         Organization
 signed-by            signed-by 
 state                State/province
 algorithm            algorithm 
 certificate-name     Name of the certificate object
 name                 IP or FQDN to appear on the certificate 
   alt-email            Subject alternate Email type
   hostname             Subject alternate name DNS type
   ip                   Subject alternate name IP type
   organization-unit    Department 
 admin@PA> request certificate generate country-code US state California locality "San Francisco" name algorithm RSA 
 rsa-nbits          Length of the key
 certificate-name   Name of the certificate object 
 admin@PA> request certificate generate country-code US state California locality "San Francisco" name algorithm RSA rsa-nbits 
   1024     1024
   2048     2048
   3072     3072
   4096     4096
   512      512
     Length of the key
 admin@PA> request certificate generate country-code US state California locality "San Francisco" signed-by external name algorithm RSA rsa-nbits 2048 certificate-name TF-VPN-CLI
 Successfully generated certificate and key pair : TF-VPN-CLI

To download CSR, use of WebGUI is still required as described in the previous section.

Step 3. Certificate Authority approval

I will be using Windows 2012 R2 Certificate Authority server to issue certificates. The end result of this step is a signed certificate that we can install on the firewall.

The process of obtaining certificate from public CA is generally simpler, as you are not required to set up your own CA. You will be required to perform domain ownership verification by either creating a TXT entry in DNS zone or approving email sent to Whois contact for the domain name.

CSR needs to be uploaded for CA to process. Once the certificate is issued the links will be made available for downloading certificate and corresponding CA certification chain.

The screenshots for Windows CA setup follow. Note that all steps that require only pressing Next and don’t have any relevant information are omitted.

Click on “Add roles and features” link in the quick start:

Select Active Directory Certificate Services (accept all pre-requisite installation prompts):

Add Certification Authority Web Enrollment role service (accept all pre-requisite installation prompts):

Once installation is completed first click on Tasks Flag and then on Configure Active Directory Certificate Services link.

As our server is not part of Active Directory domain, only Standalone CA option is available.

Root CA is selected, as this is the first and only Certificate Authority server we will be using in this example.

Create a new private key for CA. This key (as any private key) must be protected in production environment.

Select 2048 key length and SHA512 as the hash algorithm.

Select Common Name for the CA. In this lab environment, I’ve just used the host name of the server.

Now, it’s time to request the certificate using Web enrollment. Open a browser on the server we’ve just installed CA role and use the following URL. It is HTTP-based, which you wouldn’t use in production, but for lab it should be ok.


Click on “Request a certificate” link.

Then select “advanced certificate request” link, as we have all required information encoded in CSR.

Paste CSR content into the request field.

With public Certificate Authority, checks will start at this stage and you would have to perform validation steps required by the selected CA. In our case, we will use the procedure below to approve the request.

Navigate to Administrative Tools > Certification Authority.

Pending Requests will contain the certificate that we need to approve.

Select the certificate and navigate to the following menu: Action > All Tasks > Issue.

Return back to the web browser, but this time press on “View the status of a pending certificate request”.

Select the certificate request.

Select Base64 and click “Download certificate” link.

The browser will download the file in .CER format. This is the identity certificate. I used CSR generated on ASA and for PA firewall, I will go through the process again, but will paste Palo Alto’s request instead.

Go back to the CA’s starting page (3rd screenshot above), and select “Download a CA certificate, certificate chain, or CRL”.

Select Base 64 encoding and then “Download CA certificate” link. This is CA certificate that we will use on the firewalls in the next step. This certificate will need to be placed into Trusted Root on all PCs, so they can trust ASA or PA’s certificates. If public certificate authority is used, this step already performed either by browser or operating system vendor.

Step 4. Install Certificate on the Firewall

ASA Firewall using ASDM

We will start installation with uploading CA certificate first. Click on Configuration Tab of ASDM and then select Device Management in tabbed menu on the left.

Navigate to Certificate Management > CA Certificate. See the screenshot details below.

As it is not identity certificate, no private key generation is required. CA stores it’s private key and we just need it’s public key which is embedded in certificate.

The second part of the process is installation of the firewall’s identity certificate. Navigate to Certificate Management > Identity Certificates. Finalize installation by selecting pending certificate and clicking Install button.

Select the file location or paste it in Base-64 text format. Press Install Certificate button.

Validate that installation was successful by checking that all fields, such as Issued By and Expiry Date are now populated.

ASA Firewall using CLI

Will start installation with CA certificate in similar way as in ASDM. Define a trustpoint (or certificate) for CA.

ASA01(config)# crypto ca trustpoint CA-DEV 
ASA01(config-ca-trustpoint)# enrollment terminal 
ASA01(config-ca-trustpoint)# crl configure
ASA01(config-ca-crl)# exit
ASA01(config-ca-trustpoint)# exit

Type the following command and paste-in your CA certificate.

ASA01(config)# crypto ca authenticate CA-DEV
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
INFO: Certificate has the following attributes:
Fingerprint:     f60006bf 3c11022f 76d294f9 2b9de905 
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

Now it’s time to install identity certificate. Type in-the command referencing identity trustpoint you created in the Step 2, press Enter and then paste-in Base-64 text from the certificate. As per instruction, type word “quit” on a separate line to signal the end of the certificate.

ASA01(config)# crypto ca import TF-TrustPoint certificate
Enter the base 64 encoded CA certificate.
 End with the word "quit" on a line by itself
 -----BEGIN CERTIFICATE-----      
 INFO: Certificate has the following attributes:
 Fingerprint:     07f39730 cd50a849 dac1c9c4 73ce6e81 
 Do you accept this certificate? [yes/no]: yes
 Certificate validated - Signed by existing trustpoint CA certificate.
 Trustpoint CA certificate accepted.
 % Certificate successfully imported

Use the following show command to see list of installed certificates (note that identity certificate doesn’t have CA prepended):

ASA01# show crypto ca certificates 
   Status: Available
   Certificate Serial Number: 20000000039b8343e7e2a9ca8e000000000003
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: SHA512 with RSA Encryption
   Issuer Name: 
   Subject Name:
   CRL Distribution Points: 
     [1]  file:////DEV2/CertEnroll/DEV2-CA.crl
   Validity Date: 
     start date: 10:47:46 GMT Jun 20 2019
     end   date: 10:57:46 GMT Jun 20 2020
   Storage: config
   Associated Trustpoints: TF-TrustPoint 
 CA Certificate
   Status: Available
   Certificate Serial Number: 23487491513cd69146ab9ca60e20dc8b
   Certificate Usage: Signature
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: SHA512 with RSA Encryption
   Issuer Name: 
   Subject Name: 
   Validity Date: 
     start date: 11:48:09 GMT Jun 18 2019
     end   date: 11:58:09 GMT Jun 18 2024
   Storage: config
   Associated Trustpoints: CA-DEV

Palo Alto Firewall using WebGUI

PAN-OS WebGUI doesn’t split certificate menu for identity and CA certificates, so the process is similar for both certs. Navigate to Device > Certificate Management > Certificates. Identity certificates are nested under CA certificates which provides nice hierarchical view of the chain. The end result will look like in the screenshot below.

In the Step 2 we had CSR prepared. To continue click on the Import button as shown above. Enter certificate name (as typed-in in Step 2) and path to the file.

Then add CA certificate. Click on Import button on the bottom toolbar.

Palo Alto Firewall using CLI

Doesn’t seem to be possible as of 8.1.0.

Identity Certificate Backup

To export certificate along with it’s private key, PKCS#12 container is used on both firewalls.

ASA Firewall using ASDM

Navigate to Configuration > Device Management > Certificate Management > Identity Certificates and select the certificate you want to backup. Press Export button.

Type-in the file name to store it on the computer ASDM is launched from and select encryption passphrase. Use P12 extension, as Windows will recognize this as PKCS12 certificate.

ASA Firewall using CLI

Using CLI, type-in the following command. Cisco123 is the secret passphrase to secure the private key.

ASA01(config)# crypto ca export TF-TrustPoint pkcs12 Cisco123 
Exported pkcs12 follows:
 -----BEGIN PKCS12-----
 -----END PKCS12-----

Palo Alto Firewall using WebGUI

To export certificate in PKCS12 format navigate to Device > Certificate Management > Certificates menu, select identity certificate you want to backup and press Export Certificate button on the bottom menu. Type-in passphrase and press OK. The file with .p12 extension will be downloaded by the web browser.

Note, that in contrast to ASA, you can export Base-64 encoded PEM certificate with encrypted private key.

The resulting file looks like shown in the screenshot below.

Palo Alto Firewall using CLI

Doesn’t seem to be possible as of 8.1.0.

Certificate Operations

Once the certificates are exported in PKCS#12 format, they can be imported on the same device or on another device.

Below are couple of examples how certificate is applied to different services.

Activating certificate for SSL VPN on ASA is done by navigating to Configuration > Remote Access VPN > Network (Client) Access > Any Connect Connection Profiles. Press Device Certificate button and select the identity certificate as shown in the screenshot below.

To use certificate for management interface on Palo Alto, navigate to Device > Setup. Click on Security Communication Settings, as shown in the screenshot below and select certificate.