Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1788
Views
0
Helpful
2
Replies

ASA identity certificate export password issue

andrewswanson
Level 7
Level 7

‎04-07-2015 06:20 AM - edited ‎03-11-2019 10:44 PM

Hello
I exported an identity certifciate from an ASA 5585 (asa915-smp-k8.bin) - I essentially followed the steps in the post below:
 
https://supportforums.cisco.com/document/12466681/how-export-asa-identity-certificate-through-asdm

When I try and import this certificate back into the ASA (or open the p12 in windows 7) I get a message stating that the password I entered is incorrect. I tested this with self signed and 3rd party signed certificates with the same results.

To ensure that it wasn't an ASDM issue I exported from the ASA cli:

crypto ca export <TRUSTPOINT> pkcs12 <PASSWORD>

No matter what way I export the certificate, when I try and open it or import back into the ASA I get a message stating the password I used was incorrect (I'm using a simple password with no special characters). Can anyone tell me where I'm going wrong?

Thanks
Andy

Labels:
0 Helpful
2 Replies 2

James Leinweber
Level 4
Level 4

‎04-17-2015 01:31 PM

I haven't tried moving trustpoints around using the GUI ASDM interface.  From an SSH session, running

   crypto ca export foo.trustpoint pkcs12 <PASSWORD>

on the first firewall, copying the output, and then running:

   crypto ca import foo.trustpoint pkcs12 <PASSWORD>

      ....paste crypto block here

   QUIT

has worked.  I can't remember if having the trustpoint names match on the export and import mattered or not; on the most recent set I've done I've happened to use matching names.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

traby0128
Level 1
Level 1

‎02-18-2020 12:44 PM

Found this thread while I was researching an issue of my own. Super old post but this thread might save someone lots of time one day.

 

The reason the password fails during export is because you have a base64 cert and you need a binary cert (DER) for windows. You can convert back and forth if needed using certutil in windows.

 

To convert from binary to Base64:

certutil -encode filename.cer newfilename.cer

 

To convert from Base64 to binary:

certutil -decode filename.cer newfilename.cer

 

https://knowledge.digicert.com/solution/SO4248.html

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card