Solved: Re: PKI _SSL Certificate_ASA Firewlls_Private Key Information

NDP · ‎05-17-2020

recently uploaded a SSL certificate(wildcard) on ASA Firewall issued by DigiCert. I got one SSL certificate , Intermediate CA and TrustedRoot certificate.

As far as I know, SSL certificate to function, Server ( in this case ASA) needs a private key to decrypt the data sent by client ( my laptop for ex).

But, when I uploaded SSL certificate on to ASA Firewall, I didn't say any private key except the passphrase while importing it on ASA.

when browser hits "https://ASA IP" address , browser would be given by SSL certificate which contains public Key. Browser now encrypts the ciphers information and symmetric key with public-key available in SSL certificate and sends back to ASA FW IP.

How can ASA Firewall decrypts the message sent by broswer as I had never entered the private key . am I missing any point.

Marvin Rhoads · ‎05-18-2020

It depends. some CAs allow the CSR generation using their tools. In those cases, the private key is retained for use cases just such as yours - to later distribute along with the certificate.

View solution in original post

Marvin Rhoads · ‎05-17-2020

If the ASA certificate chain was given to you with a passphrase, that generally indicates the associated key is included in the bundle. When you installed it, the ASA saved it along with everything else.

Both the key and certificate are each just a couple hundred bytes so it's easy enough to bundle them together in a passphrase-protected file.

NDP · ‎05-17-2020

if that's the case, CA should be knowing private key as well right. with the normal process, Certificate signing request won't contain private-key.

I didn't create CSR. So, I am confused.

Marvin Rhoads · ‎05-18-2020

It depends. some CAs allow the CSR generation using their tools. In those cases, the private key is retained for use cases just such as yours - to later distribute along with the certificate.