I've found that the documentation for this it is not very user friendly and you might have this issue if you cannot configure an ASA using ASDM.
I've found a lot of posts about Java issues with ASDM. One of the workarounds is to use a trusted identity certificate on the ASA. You might don't want to purchase a public SSL certificate so I offer an alternative to do it with a private one.
I will assume that you already created an internal certificate and that you also have your internal root certificate.
The internal server certificate + key is in .PFX (PKCS12) format encrypted with a password and your root certificate is a simple SSL certificate not encrypted in base64 format (PEM).
The issue is that the ASA expects to import the server certificate in pkcs(.p12) format encoded with base64
you just need to take your .pfx file and encode in base64 with the following command
#openssl base64 -in xxxxx.pfx > xxxxx.base64
Then you need to open the file and add the PKCS Header and footer just copy and paste it without leaving any space.
Verify that the truspoint was created: ASA(config)# show crypto ca trustpoints BRATO
Trustpoint BRATO: Not authenticated.
Verify that the key was created: ASA(config)# show crypto key mypubkey rsa | b BRATO Key name: BRATO Usage: General Purpose Key Modulus Size (bits): 1024 Key Data:
The last step is to add the root and the intermediate certifcates to the chain. That is why you have a NOT AUTHENTICATED truspoint. You need to encode your certificates chain with base64 again. Remember that on the certificate chain you need to form the chain in the issuing order:
Certificate has the following attributes: Fingerprint: xxxxxxx xxxxxxxx xxxxxxx xxxxx % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported
ASA(config)# show crypto ca trustpoint BRATO Trustpoint BRATO: Subject Name: cn=brato-DC-CA dc=brato dc=local Serial Number: gglfshlkahfklsahflkhaslkf Certificate configured.
Hi everyone,I got a VPN question, I'm looking at the next configuration:group-policy "nomfa-Support, ou=VPNUsers" internalgroup-policy "nomfa-Support, ou=VPNUsers" attributesbanner aaaabbbbccccddddeeeeffffdns-server value 10.132.4.186 10.134.27.11vpn...
I have a firepower 4100 series setup as an HA pair that I just inherited. I am not familiar with this device. I noticed today that I can SSH into the primary FTD, but not the secondary. Is this normal? I just want to make sure there isn't anything wrong. ...
All,Trying to figure how to prevent the webvpn service on an ASAv (used for presenting Anyconnect VPN client software to logged in users) to present the login portal when accessing:https://10.0.0.2/instead, i would like the ASAv to present the login porta...
Hi All, I'm trying to configure Wireless 802.1x with PEAP and I understand for ISE to verify the user certificate that it will present, I need to have a Root CA in the list of 'Trusted Certificates' within ISE. I've imported that as follows:&nb...
HiI have an SNMP server for monitoring and I want to allow outside interface devices to connect to the server, while I am creating static nat I get this error (ERROR: NAT unable to reserve ports).the used commands:ASA(config)# object network ZabbixASA(con...