Solved: Re: Certificate export from ASA to IIS

rahmant · ‎11-10-2010

Has anyone ever tried to export an identity certificate from an ASA unit for import into IIS? Running 8.2(1) and ASDM 6.3(1).

Via the ASDM, I've tried to export the cert in either PKCS12 or PEM format but I can get neither working. When trying to import the PKCS12 exported file directly into the Windows certificate store, I run into errors about the passphrase being incorrect. I've also tried to export into PEM format, but when I use OpenSSL to try and convert it to PKCS12, the OpenSSL client gives me an error message stating that it's "unable to load the private key".

Thanks for any guidance/help.

Tariq

mirober2 · ‎11-10-2010

Hi Tariq,

Thanks that makes sense. I think you're running into a couple of issues:

1. When you export the cert as PKCS12, it is encoded in base64 and includes the private key. However, the Windows cert store doesn't support this format, so you'd need to use OpenSSL to strip this information out. This is from the Windows help file on Certificates:

The Base64 format supports storage of a single certificate. This format does not 
support storage of the private key or certification path.

2. When you tried to export the PEM cert from ASDM, the certificate was probably still exported as base64 PKCS12. This is due to the ASDM bug CSCtf25281 (fixed in a future ASDM 6.4 release).

In my tests, the PKCS12 import fails from both the CLI and ASDM since the exported cert includes the private key. PEM import when the cert is exported via the CLI works just fine, but when I export the cert via ASDM it is still exported as PKCS12 due to the above bug.

Try exporting the cert with the 'crypto ca export identity-certificate' command from the CLI and that should work just fine. Otherwise, you'll need to open the cert with OpenSSL first:

Convert from base64 to binary:

openssl base64 -in pkcs12-1.txt -d -out pkcs12-1.bin

View the exported cert:
openssl pkcs12 -in pkcs12-1.bin

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎11-10-2010

Hi Tariq,

Are you using a passphrase to encrypt the exported certificate? It sounds like the certificate store is unable to decrypt the certificate and import it. I tried it on my lab firewall and it worked as expected. Double check to make sure you're using the correct passphrase.

Have you tried exporting the cert without a passphrase and see if that works?

Hope that helps.

-Mike

rahmant · ‎11-10-2010

With a PEM export, the ASDM lets me export without a passphrase. With PKCS12, it seems to require one.

Some questions:

-) What version of the ASA OS are you running in your lab? What version of ASDM?

-) What type of export did you do - PKCS12 or PEM?

-) Did you do the export from the cmdline or from the ASDM?

-) What version of IIS did you import to?

I tried to do the export/import with just a single character passphrase to no avail. The problem for me isn't on the export, it's on getting IIS to recognize the export file (or at least accept it).

Thanks,

Tariq

mirober2 · ‎11-10-2010

Hi Tariq,

Thanks that makes sense. I think you're running into a couple of issues:

1. When you export the cert as PKCS12, it is encoded in base64 and includes the private key. However, the Windows cert store doesn't support this format, so you'd need to use OpenSSL to strip this information out. This is from the Windows help file on Certificates:

The Base64 format supports storage of a single certificate. This format does not 
support storage of the private key or certification path.

2. When you tried to export the PEM cert from ASDM, the certificate was probably still exported as base64 PKCS12. This is due to the ASDM bug CSCtf25281 (fixed in a future ASDM 6.4 release).

In my tests, the PKCS12 import fails from both the CLI and ASDM since the exported cert includes the private key. PEM import when the cert is exported via the CLI works just fine, but when I export the cert via ASDM it is still exported as PKCS12 due to the above bug.

Try exporting the cert with the 'crypto ca export identity-certificate' command from the CLI and that should work just fine. Otherwise, you'll need to open the cert with OpenSSL first:

Convert from base64 to binary:

openssl base64 -in pkcs12-1.txt -d -out pkcs12-1.bin

View the exported cert:
openssl pkcs12 -in pkcs12-1.bin

Hope that helps.

-Mike

rahmant · ‎11-11-2010

Mike - you hit the nail on the head

I did the export via the CLI (though I think the export was similar to the PEM format that was done from the ASDM). The trick was in the OpenSSL manipulation of the file after the export was done. Your command to convert to binary was good and I was able to import the resulting binary into my IIS webserver.

Thanks for your help,

Tariq

chang.dennis · ‎11-10-2010

I'm trying to do exactly the same thing. Maybe I can help by providing more info.

Here's the deal: We have an ASA 5505 running 8.2 and 6.2. It has a Default-RSA-Key (private) and a matching SSL certificate that works great on the SSL VPN.

When I export the certificate, I can choose PEM format, which always works without asking for a passphrase and which produces a .pem file that can be imported without trouble into Windows 2003's Certificate Utility and then into IIS. HOWEVER, though the certificate is imported just fine and says it's okay, it doesn't actually work. I tried repairing the certificate store using the certutil.exe -repairstore my "cert s/n" command, but it cannot do so without the private key from the ASA (Default-RSA-Key) placed in the proper location. The output ends with:

No key provider information

No stored keyset property

CertUtil: -repairstore command FAILED: 0x8009000b (-2146893813)

CertUtil: Key not valid for use in specified state.

What is weird is that the certificate is described as "ok" all the way up the chain in the Details tab if viewed on Windows.

-----

The other option to export is the PKCS12 format, which requires a passphrase (entered twice to confirm). The export works and creates a .p12 file, but that file cannot be imported into Windows 2003, because it always says the passphrase is incorrect, no matter what passphrase I use.

-----

At this point, it looks like there are two options:

1) Assume that the PEM certificate is good and try to get the Default-RSA-Key copied from the ASA to the correct directory on the Windows 2003 Server, then run certutil.exe to repair the store and match the private key to the certificate.

2) Revoke the ASA's working certificate, generate a private key on the Windows 2003 Server, request a new certificate for the same domain name and install it on IIS, then export the pair to the ASA.

Any help would be much appreciated!

chang.dennis · ‎11-10-2010

I confirmed that the problem is with the PKCS12 file by trying to convert the .p12 file using this site:

https://www.sslshopper.com/ssl-converter.html

It also complained that the passphrase was wrong, no matter what passphrase I set.

mirober2 · ‎11-11-2010

Hi Dennis,

Although the SSLShopper site supports having the private key in the PKCS12 export, you would still need to convert it with OpenSSL first because it requires the cert be in binary format. The ASA will export the cert in base64 format.

https://www.sslshopper.com/ssl-converter.html

The PKCS#12 or PFX format is a binary format for storing the server 
certificate, any intermediate certificates, and the private key in one 
encryptable file.

Hope that helps.

-Mike