09-20-2024 06:41 AM
I have imported the PKCS12 file into objects > PKI > Cert enrollment
When adding the cert to the device it is stating CA not available.. is this because the CA Root and Sub CA's are also required to be added to the PKI cert enrollment section?
This particular wildcard cert uses Go Daddy, which is actually already defined in the Trusted CA section...
Solved! Go to Solution.
09-20-2024 06:47 AM
@NetworkMonkey101 create a new certificate enrollment with the CA certificate, then enroll to the FTD, which would create the local trustpoint on the FTD.
09-23-2024 06:05 AM
09-20-2024 06:47 AM
@NetworkMonkey101 create a new certificate enrollment with the CA certificate, then enroll to the FTD, which would create the local trustpoint on the FTD.
09-20-2024 10:08 AM
@NetworkMonkey101 like @Rob Ingram implied, your issuing CA certificate must be chained together with the wildcard certificate to make the CA section of the enrolled Trustpoint show green.
There's an excellent article on how to do so here: https://www.linkedin.com/pulse/anyconnect-ftd-pkcs12-openssl-matt-albrecht/
09-20-2024 12:22 PM - edited 09-21-2024 05:03 AM
Hi Marvin,
I have configured OpenSSL and I am using it to attempt to run through this guide - https://www.linkedin.com/pulse/anyconnect-ftd-pkcs12-openssl-matt-albrecht/
Issue I am now having is seen below and the first command is failing..
openssl pkcs12 -in <id_cert.pfx> -nocerts -out privateKey.key
User@B3SH4FS3 MSYS /c/Users/User/Downloads
$ openssl pkcs12 -in cert-wildcard-2024.pfx -nocerts -out privateKey.key
E82D0000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1186:
E82D0000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:349:Type=PKCS12
I have changed the cert file format to pfx and it is in my downloads folder and shows via the openssl ls command..
09-21-2024 08:45 PM - edited 09-21-2024 08:45 PM
@NetworkMonkey101 most likely your certificate file "cert-wildcard-2024.pfx" is not a binary blob with the certificate and private key but it instead a Base64-encoded certificate. You can check it via opening with a text editor to confirm.
09-22-2024 01:10 AM
09-23-2024 05:38 AM
You must first export the certificate and key from ASA or FTD as a PKCS12 (*.p12 file) which will include the private key. HAving that private key is a requirement to make the certificate "portable".
It then needs to be converted from base64 to pem (*.pfx file) format using openssl.
If you don't currently have a good certificate, you can follow this method: https://www.fragmentationneeded.net/2015/04/exporting-rsa-keys-from-cisco-asa.html
You can then export with the chain via openssl.
PS C:\Program Files\OpenSSL-Win64\bin> ./openssl base64 -in .\<cert name>.p12 -d -out .\<cert name>.pfx
PS C:\Program Files\OpenSSL-Win64\bin> ./openssl pkcs12 -info -in .\<cert name> -nodes
09-23-2024 06:05 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide