cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance

13656
Views
10
Helpful
2
Comments

 

Introduction

ASAs provide a temporary code signing certificate to sign Java applets (for java rewriter and plugins). The temporary certificate lets Java applets perform their intended functions without a warning message. ASA administrators should replace the temporary certificate before it expires with their own code signing certificate issued by a trusted certificate authority (CA). This CA can be a public CA, such as Verisign, GoDaddy or Thawte, or an enterprise CA that is trusted by the employees' web browser. Without a valid certificate, end users will see a warning message when they use any Java applets.

 

Note: This procedure doesn't apply to the port-forwarding java applet.

The Port Forward (PF) binary file is signed by a Cisco certificate, and requires Cisco to update it.

Customized signing certificate for  PF is not supported.

 

 

Procedure

 

Perform one of the following procedures to update the code signing certificate on the ASA:

  • Using the ASA to generate the certificate signing request and key (the most common option)
  • Importing an existing code signing certificate with a key pair

 

Using the ASA to generate the certificate signing request and key

To generate the certificate signing request and key using manual enrollment (also called terminal enrollment) on the ASA,

1. Generate a Certificate Signing Request (CSR).

For example:

hostname(config)# crypto key generate rsa label CodeSigner
INFO: The name for the keys will be: CodeSigner
Keypair generation process begin. Please wait...
hostname(config)# crypto ca trustpoint CodeSigner
hostname(config-ca-trustpoint)# enrollment terminal
hostname(config-ca-trustpoint)# subject-name CN=ASA-Code-Signer,O=Companyname
hostname(config-ca-trustpoint)# keypair CodeSigner
hostname(config-ca-trustpoint)# id-usage code-signer

2. Enroll it with either an internal or external CA.

For example:

hostname(config-ca-trustpoint)# crypto ca enroll CodeSigner
% Start certificate enrollment .. 
% The subject name in the certificate will be: CN=ASA-Code-Signer,O=Companyname
% The fully-qualified domain name in the certificate will be: hostname.domain.com
% Include the device serial number in the subject name? [yes/no]: n
Display Certificate Request to terminal? [yes/no]: y
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
MIIB3DCCAUUCAQAwWTEUMBIGA1UEChMLQ29tcGFueW5hbWUxGDAWBgNVBAMTD0FT
QS1Db2RlLVNpZ25lcjEnMCUGCSqGSIb3DQEJAhYYd2I1NTQwLUZPLmZycWEuY2lz
Y28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjOYV3P1rXgUgCS+d8
ai4YmV+C2M7EIT8rtVBQk4dl57Ixlfl4PvayQl6Lg3EAIrETxieSJ1S6z1Mu53JW
D4LdFfNBlh5AHW49y6Pf3qMc40YigA+y6qg62vTr9OpLTWgroR7En9zOcIpHbyos
RdRG+WQytmV/OPNSOyO4zOY/3wIDAQABoEMwQQYJKoZIhvcNAQkOMTQwMjALBgNV
HQ8EBAMCBaAwIwYDVR0RBBwwGoIYd2I1NTQwLUZPLmZycWEuY2lzY28uY29tMA0G
CSqGSIb3DQEBBAUAA4GBAA0PkSWLCXAE2QdsE6YLUJ7eOdaxkciBvBahzE1nsHpB
Cf576VcYctUdYWXXe4bKYxAYFY1TMBUXyLhGtfyKiqel/Z4+cQMPZljOXgZxDrLj
ogrfAbTSCCofltWOh7O9x8Jb1qrn/aqBWlPeMxjARNQ0MbE1+f3ZCqbA+QoauPAb
-----END CERTIFICATE REQUEST-----
Redisplay enrollment request? [yes/no]: n

3. Submit the certificate request to a CA.

4. Once the CA issues the certificate, import it using the following command:

hostname(config)# crypto ca import CodeSigner certificate
% The fully-qualified domain name in the certificate will be: wb5540-FO.frqa.cisco.com
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIF1zCCBL+gAwIBAgIKFDpa/wAAAAAAODANBgkqhkiG9w0BAQUFADBVMRMwEQYK
CZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28xFTATBgoJkiaJ
k/IsZAEZFgV3YnBraTEQMA4GA1UEAxMHYnhiMDMtMTAeFw0wODEwMjQxODEwMjBa
Fw0xODA5MDQxOTQ4NTBaMFkxFDASBgNVBAoTC0NvbXBhbnluYW1lMRgwFgYDVQQD
Ew9BU0EtQ29kZS1TaWduZXIxJzAlBgkqhkiG9w0BCQIWGHdiNTU0MC1GTy5mcnFh
LmNpc2NvLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAozmFdz9a14FI
AkvnfGouGJlfgtjOxCE/K7VQUJOHZeeyMZX5eD72skJei4NxACKxE8YnkidUus9T
LudyVg+C3RXzQZYeQB1uPcuj396jHONGIoAPsuqoOtr06/TqS01oK6EexJ/cznCK
R28qLEXURvlkMrZlfzjzUjsjuMzmP98CAwEAAaOCAycwggMjMAsGA1UdDwQEAwIF
oDAjBgNVHREEHDAaghh3YjU1NDAtRk8uZnJxYS5jaXNjby5jb20wHQYDVR0OBBYE
FEC9252UCEzwKaxMlogqRUidpf4qMIIBAwYDVR0fBIH7MIH4MIH1oIHyoIHvhoG1
bGRhcDovLy9DTj1ieGIwMy0xLENOPUJ4YjAzLTEsQ049Q0RQLENOPVB1YmxpYyUy
MEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9
d2Jwa2ksREM9Y2lzY28sREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/
YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY1aHR0cDovL2J4
YjAzLTEud2Jwa2kuY2lzY28uY29tL0NlcnRFbnJvbGwvYnhiMDMtMS5jcmwwggEd
BggrBgEFBQcBAQSCAQ8wggELMIGtBggrBgEFBQcwAoaBoGxkYXA6Ly8vQ049Ynhi
MDMtMSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
ZXMsQ049Q29uZmlndXJhdGlvbixEQz13YnBraSxEQz1jaXNjbyxEQz1jb20/Y0FD
ZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp
dHkwWQYIKwYBBQUHMAKGTWh0dHA6Ly9ieGIwMy0xLndicGtpLmNpc2NvLmNvbS9D
ZXJ0RW5yb2xsL0J4YjAzLTEud2Jwa2kuY2lzY28uY29tX2J4YjAzLTEuY3J0MAwG
A1UdEwEB/wQCMAAwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUI/9QBh96GUYbZ
kTKDkoxIsIh0gRKFqt5Ngc21MQIBZAIBAzAnBgNVHSUEIDAeBggrBgEFBQcDBAYI
KwYBBQUHAwIGCCsGAQUFBwMBMDMGCSsGAQQBgjcVCgQmMCQwCgYIKwYBBQUHAwQw
CgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAGgu646i
HWK+eJQyTKS6D38EC/rLaql8N2oHknWW5fBT1WqpzJTne9YoDGCWNlVOGKyhHOIy
PVy3Ml2yz2aPZx3Ql81NpETkN6uSigiXrIn5nJI9WmNUeos5hT+4iF+APagz8y5V
TQb9S4N7pH3nuV6fjKCzQbY7xpFcoLozxzZYxCBPQl3dCCNHIy/cLTypAxwv22Y3
YMD5r7awREpTCCxt3Cm6Z2dGJioxLQ1JQ4fkTBJAAYwrhQwv7cswkOUT4NlrFOuL
zEWHPmFWlS4TZosGJo7EHE+zR3hP4vPkci6ci6HlKMt1yD4zNQxXkwWZEtLzpq9Q
H5KLS93CycwHSVg=
-----END CERTIFICATE-----
quit
INFO: Certificate successfully imported
hostname(config)# crypto ca authenticate CodeSigner
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIEpTCCA42gAwIBAgIQPVsfNP3AVL5OtB2NR8q2WjANBgkqhkiG9w0BAQUFADBV
MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28xFTAT
BgoJkiaJk/IsZAEZFgV3YnBraTEQMA4GA1UEAxMHYnhiMDMtMTAeFw0wODA5MDQx
OTQ4NTBaFw0xODA5MDQxOTQ4NTBaMFUxEzARBgoJkiaJk/IsZAEZFgNjb20xFTAT
BgoJkiaJk/IsZAEZFgVjaXNjbzEVMBMGCgmSJomT8ixkARkWBXdicGtpMRAwDgYD
VQQDEwdieGIwMy0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh/27
/KoSkah4pAg6U9rj5jSAPHegZSlS0E2qrcFLWQU2E64HnK8oOUJBArZ2LRjFNhrl
fsGDPWbDh/UpCKeLgjOYpqYNtvBYh8YyBzFDSlZFHxmoErVKSdtj5PzqVJHZoZ01
eh0U7VxM8ImxdZ+PHMNu5OYPCWReaKc2bpEqs32csGdYv3T1mPmBj/XM5auHRwwh
Yks/TyIGUfPBNCqiThRKRoLFmuybX9NuPWhkjdxOsj+QdRLdpc9KBkNJeh94s3OB
JUvZdvwLbuPw11KvozyWe9ZiGDMCFFk9L3vTtzLymgOpF97eqk/BsNLk2kr+TIat
CykiZAdDPvnbNnvhYQIDAQABo4IBbzCCAWswEwYJKwYBBAGCNxQCBAYeBABDAEEw
CwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFONerQ+FoEBi
CQg9Y64zg66XHvCtMIIBAwYDVR0fBIH7MIH4MIH1oIHyoIHvhoG1bGRhcDovLy9D
Tj1ieGIwMy0xLENOPUJ4YjAzLTEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl
cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9d2Jwa2ksREM9
Y2lzY28sREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY1aHR0cDovL2J4YjAzLTEud2Jw
a2kuY2lzY28uY29tL0NlcnRFbnJvbGwvYnhiMDMtMS5jcmwwEAYJKwYBBAGCNxUB
BAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAAHnKuyJCpnaM/njdoigUcqrylEpGKq3
tl92Z8cC8XwqhpeOK0u/3lLWE12jyDGFmnTerO5vRXQg8mH2D7jR8NXFrqEpar2q
gu0TBihIPOcBOBUwl6WyEoEkCeV+bZl0/kZbtveer1ZqGDrBuvuBOf1VcCjMPpXw
EVYVL36KCz/mXq4UK4AslkjREKwH2HFEARrCFcUBNIihXmXuz4h5mljDf7Ysy6Ma
yrDVT+SQjg4CumcsXQKSWEG9RczF5PgLD2/a+FWQS3HgI1nsZ44Ezv+umscAr5uX
Mp8uRcTUEjg6617Kwbi/LCn9rM5yUt4n1nVz+YMozEtXynQ+8N412+M=
-----END CERTIFICATE-----
quit                         
INFO: Certificate has the following attributes:
Fingerprint:     359ff10c 4449e182 045d9133 d64378ac 
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

5. Configure the new trustpoint for signing Clientless SSL Java objects.

For example,

hostname(config)# webvpn
hostname(config-webvpn)# java-trustpoint <trustpointname>
hostname(config-webvpn)# write memory

Importing an existing code signing certificate with a key pair

If you got a code signing certificate online using a web form with a third-party vendor such as Verisign or Entrust, or an internal CA, import it as follows:

1. Export the certificate to a PKCS12 file (with a private key).

2. Go to step 3 if the code signing certificate and key are in PEM format. Otherwise, convert the file to PEM (base64) format. The following examples each identify a tool to convert the file, the command syntax, and an example:

Syntax:

openssl base64 -in name-of-DER-file.extension -out same-name.pem

Example:

openssl base64 -in ie-export.pfx -out ie-export.pem

Syntax:

certutil -encode name-of-DER-file.extension same-name.pem

Example:

certutil -encode ie-export.pfx ie-export.pem

This step is especially needed if you used Internet Explorer to export the certificate.

3. Enter the following command to import the file into the ASA.

crypto ca import trustpoint-name pkcs12 passphrase

For example:

hostname(config)# crypto ca import CodeSigner pkcs12 Wh0zits
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIIP1wIBAzCCD5EGCSqGSIb3DQEHAaCCD4IEgg9+MIIPejCCD3YGCSqGSIb3DQEH
BqCCD2cwgg9jAgEAMIIPXAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIqg7W
8MrJ2pQCAQGAgg8wKFwEOhvKb4GXuJbfyo3xF5N2e1Cj3jO68BwagBylHcKD6cu4
RjdWNE74DI3BqWJI78Xvwz9dlNptwS/eHAawIbq68B4mp3LqpEiK5SlUu0PojxSv
ZLFPPKlkKLd49ddbBP0GoYeXI6qsEKkP34WKxAVJEl7fk9YzGwJgCq0N3fEAZnbE
+meY+ccJBLaG4GfgTK/Zcel6pGah4ICiYFyFXz5bO99gw92Jc8k6TI2B6lvZuKVX
Nw33rG3vEGWj6DqgEMHg4oPajZzCHshNsNhLt1HbWaE82dhQY6+LPDUm+TsFqNe2
f0ibjdOxYUgFsl56rRxC/St18qbRKahliIdW2QXZQthESsF6ycbFO/PC8VbLBXgB
sTMr9N3NGIwowJvsKtspD2PfXlC3AM7nK6V++awjQy5g9IcuFKWq3IIzIgVceC3q
EMBMoapesXBtM14nXYLgQZPpX07Qt+SS49gY7JRpssauK4g4DN7xX8uwP3dyFTG/
mkQKbVBUDpJvSjRtusgbNJbBS3PI5zTbcyKGnFU6y6wDOV9tRavtopUyzir/4B8Q
lEM8qn/P6D9u1JcdnJ1i0d5OdHwKqLY8YLXGjwaxqa3XN2MhUaVLTkZ37xA5aofm
WOS4PeSoQepCeVBkUfihkpeNlUmLDtQIJVUd+CcPuLp308KvmMzKNDEl6RLLFiFE
F4MHifPOIr1MCKTk2s8OY+uliKnKHGbY7C2CPqhh9vyxIPlg6uMcf1YcMGkxAbVY
Ic9v6/98HXYGS8u3Xi42ihklUMfc2jbTZusPYWlxczlZOsgbM5Gt9mCAwj0tXG6R
DBe1Y2axIBLFE1HbLpybTtnjMg66YoiklWHrzCYVz89U84yt6tGsRn3683oXzVXc
9gFEuUg+Gw9OAuHgIueFd2VLl0AW1oSzOlqR8ZOLO7fc03xf38BFR4/XPdwNGL14
0FC8UckK4qLvGyN3GQ9ocWoWtPTo8PZlJdLBUBGJK15X3vb2P0oCsyXAq7FvlQVc
atnKdvzmXzhuCPiToJVGS8g2en3VGnUSRv9Sh7U0GwfJPv7UtiPHBZf3g3BQBqQP
B+/3ATmDdXiATtca5FRmPp2aTmN+zV7aohBJLmYjFxWoopOd5AS78VR1wcC6puj/
0fJIB5N4EBKkLvFh0DPL8zos6JrgYY3mbWHZuPRe3C+KPEAjI2ZJ3Pn+mFteSEJV
oqclUtUc3rc7IZmyh79BBYGt6LxD9OihdlY/lXKjvSstVP42pTgCH5L/YdK+Ep72
eVejII9mfkip1PHhSOa6EELc1yLq/P3CC16WAVLP39bMHpjaHFKBKiIUZAVIq3F4
thga0f0Bp5bS9FZs6sbyOreI1mUVqDP0N8dsBQ+CA0nyMHjW5DYMN2Fbw6G7Wb4F
wCq7QqcLbaHk1Dgg44cOvKuSbgBNqZckc5Ltzeq5rDC9j+ddt4ZVYGSoPvSR3UMC
pBMBUorHTkXDteEQdB5qk1uTVo2IJmoTgXtJpOOFdC1X5NgnUzaFtDAjm5Ac4vsH
4+BsSytv3bd77Jk0gHmyu/n9Mx9bp/p8HJaFQM20l77D501m6GJu/7eWcNzLha1d
EAW/JywofgrsZWPGITAM3O4ioALXtLvyWAXdNhcUQgUQlzWBj/k64rqAZrfmOlIA
Dp8m7/vxGnNd2+pxWFA9Sc9Y0Jp9vDCas/74Y6osQ6iJ18LthByowUtaf8OyAhmY
Ocs+r1QOe/IcBd5YruNGnr3xGbiF7uY20nmZlCdxUSXNAWd+GitTHnHibbwM6VqU
2ofTFVagYitsJtHSZnB9f+5IKDX/xlKEceYPQPwenpX4JDLNEAqEm7te6dJ4cZAa
ck8BUUuogRa5ZA46engdBMwsp7T1AC8TmL96BwM/bP8ICnzGoFeXplWzy8L03Zy/
rUCjcEyiBmRe7xwhlmtSZc50hrtd6v+kgCWhsV5exo9rw7jQUXpi5yte5xei2f2e
kMAdcfLjySBnkLgTEkEfdNbF6w1Q5+M5SAfqfP4RqRE0GVIiLm2SiaeuLeJLUqjq
8Dxv9yq0Sd9DcER1KHdPce1SZkWLHHqUNSoL1rBfpjUW5uzYVTStEd9/bP3l8dQF
9fJMbn/Euthlz6uTFAgBK13iY2K+LGIVtFUutkVv0K5NAkOhVFXK1t2oV4IoMjdV
E5GNpHJdO4K1BZ1yBpsFc/WP2nWmVQ7y8/FAlbu2ar+tRkh3NLDyU69vxKHwVPyr
0JDEYCWcKu7tlHA+j1ip3IcTXo8JUMUdexkZvuc5bHc/4kZ5DRdwO4KBqxNRf06K
p5ZqYXtizFldXfcHJlx3/7jE8F93ZuiFMsfHy/xYv6N84y1j7y80x+GeNslqJkxO
XMUTpd9D2Y8YD6Gn6HCEitvHr68NmwynRUatONtrnGCC8cc757LXvlMiuuKMwIvZ
DdhUZF/FaSKdOAniPeDpp92zwu8nphqHzmtkM6l2HIzrJWNgCg+Gi4AtyyCT0KXC
0+nKqx5iiTb4qvU+hyQsVp/3NPyM3G+XVu8CCEgf57R94Q1VD659SzYyZH5pPjLC
aSCT4KLiPiV1afEfC64qYll9XnFOGlqQaUEkLgBZna5KYWpSwEc5p9+ZgzWZcj9m
Y+ScvznQidDASc8rZ2ebtLsAtEVpeNiw/XNgrREP9lWe9Es5DkQogMYKgm1prytw
oyofK/g636DhyQN2YL0Irg5qvRfSzPkm5Lo23yj6FRWfIwD5Zqe2DKYflMV1F+sy
hFKuixPcza+EZ8R5u4NALJ76ZWEqlzDQnpgtN4gjSnKT/rnLxHeBo/79dkQrXj53
qNNOkrErbp1utjCROjU1vnTtfSZl+L6+6UP0ui9p5yDDG8rd0S0LGQDO7ZGfTese
aDbV/21CDEACB2agDKClWfxW3w6UueiIhyB2ByMlbCOH1KyboKj8TYJcJbFY5af5
WdfdJtdvH4ryinoM+IQjrzMco6qDKEonZW2EXBg9TwtVOOBiQsf7KfuzfUyCBAnr
s3lduseKcIv9//1fgbjDp/5v24BXQks+35uy0Rv6vdsqqECQBdTuNOmJT+2r73Pa
+nwGApden2CkDA/XQiwKgOpPV234rqbAjudZKEAHWh1F6CWPAO1GhqLeBNfyi9kJ
LH+OO5VcH5hmkn/mnFOAhboTV6d7hmqYr+omE5YHv5mZJ4vG40AJV2Tf5fylFrKy
tdqYJpI5vc8XDPsulESg4q01JIbXGHONwVH1h+kFh/o+CX4AmYDeqPjhWVhEO22U
0lkvo62I7AN1jxadEFT2ScuUbS1CNO8BZjpnijE3NnfQ7YXxHPkjyFz5m2SOL5zx
kvioUlZk0PDu72k69XXmfvY7DvcGCZRW3BSSySjXOLTeIO5BKeBb2hMvQFYXHRo4
aS+3V+pJyqtKuKoEgp7fsYBLJAbbq5SkIF7rTTfBsiAG82TOpFjgFQ+d+o1D69YM
KPaYTalQpv8CPkWhAWwmqoGJyE0FKPn5UtnlkTP5M0jwLyRIXDwJBKKceBrlHu26
rDee2QRi9cNE6wqkR7xKVe2hLPpbfYAlY/RTPMr4l/RSWTqUsyEIYhUzo63HuGnq
cj/p7NhZOKhKDgo9AuIejOKEeTVieK/AcW3rTiENA5t0yFwukBZpH/3ZpG1e2P/u
mJFGc+/+TTkVUJjvdorfPnNAUzIVAj/suCO5pZOOGHFwtexTuhPjZZ7INzllFR4C
zlJr90n7d7cx/NcxnZ4jcO4emIkswFXqqKTRpCTbuYJVPip6qVGfnC6lFWh4uL/5
rVP8OJZHfJ+Ow0ydrq4H97VwjFJBxbCm/WoBGamf7hBI2ddJ6saC8I5jbDKw2e54
6WzQ2SYJ8XCaFoqJ7bgdCVBp7Qj9HMfL7GCoN/FxzZ9pgF3BBbjlW8mwVwUPnU8L
j37XGOKtnQw+9X9WG3BYUCMafg2592dctw9QqRsEbfOW0iNzp2vV/RQC5BCOvm28
51Ir98vY5bUueYPtpZw8XPLH8STKeZP2yEcw0Pk8KX0uibiWIt1Ip6kQ2KcTLLHT
pMsLBKvwoQ4C7jG2qBSVOzC6je1Q09cBBZ6JKAqZyWW+/jtyWIqq7FHSjOWrLj0c
4jsE/7U3u9cgVqoop/O1NM/nDyx1iGb4DNH6IPNrmyAoec8gTW0mcoGW7aapw6Ss
rPDKYEKubRCJQCZKdBFx9V5oMmugxQg0SjGI9NrbqNEB3gdNHnPgjIXbh4CbyXCA
4QK7F88tUoclfiN70vYTmued7O9VmbYsoDHhVQHCMNFk6nHrL0DmSvgjXPwu9woN
WjcCjc3UKezvgka/Cepnt2I4RDIHXM70uoJO5vHSlqya0if1ZsBqUYUEVF7yyZRN
neD00y6sBz0+3quYLBm7E62BnWp53rcDQhp/Znq5CClvnbogoiu8brCGDp5Lkc4c
R1525f5gaCuT8ZZRyYHUsMz2Ky2PEZ2I8AYRS7PZXV/s+ijrxUia9dZLJVN/0Fxa
U3VNGDZp+nvEfBP8caDf2Tj6orW41nvFSPB/rn78FhBZxViD6ndm4WA54xLLFP1P
br9Ik248w9GK0DMOhpTdXmfXEAMVztqwpKM+TF1MDhzi/H10/QfhJCACt2x5dxzq
UrzLgTuz0h+vR43RxYhKPsWC8Wv1uFPiulSlNwCUtM+niCP98gglEV+HvrwcsjMV
nHTuqa0mJEAJDgmwablEqFy/OpIkOi8QhQKzK5XrAKjrneH1wxZqPVLn6WJUkPkV
KquNrdxW1zlrXCW3JFAvvajzX1ZImAMotRt1eWl3P51jBcKBtAKFow+QfHPg5kWP
UxhhSTFavpkaT/ZQUpDsS2CFhV2fLIKgcvv0q4kPEtbVip0SnpKSsJ/RnzLyo27W
nmNirhidB5zulDgGkxc3t+rxM0+IjuY3IGRIViItCeJA8Ojz8GlW+AzvXi3HRhQW
MxkQVnWZcoC2ErkkSe/k0FpDX8pnJ7AjwFjRJdOdtqauRURxSCoaY5A/WasWubIQ
0aMF4EH2DZPpRTAPPFcZ86iEIG6j3NlRZT0h0e+yHFisw+PLWK48vinMS/FocPJW
/DHc2SisbnxjQaU6nq7J3UYoy+HDodqdY+Y1ks1QXivmCRhc5ogrpueE6pDP0w9E
JGRRlcM5DcTz+bIT8iF957pCjTI2kpPbFC/AtnYGiImAhz/CoAf41JmbeaR7dVVl
YDJthoRkIbGCHHZPMD0wITAJBgUrDgMCGgUABBQE5/VC5+E+K92lVjed9gE6bF5U
GAQUpEyGv3wKzyLnTcS+kE2k9QVVqU0CAgQA
 -----END PKCS12-----
quit
INFO: Import PKCS12 operation completed successfully

4. Enter the following commands to designate the trustpoint as a code-signer:

crypto ca trustpoint trustpoint-name
id-usage code-signer

For example,

hostname(config)# crypto ca trustpoint CodeSigner
hostname(config)# id-usage code-signer

5. Go to webvpn mode.

webvpn

6. Enter the following command to configure the new trustpoint for signing Clientless SSL Java objects:

crypto ca trustpoint trustpoint-name

For example,

hostname(config)# webvpn
hostname(config-webvpn)# java-trustpoint CodeSigner

7. Save the configuration changes.

write memory

Media:Example.ogg

Comments
Rising star

I have followed this guide to the letter but can't quite get it to work....

I already have an Identity Certificate on the ASA issued via SCEP from an MS 2003 Enterprise CA.  The 'IPSec (Offline request)' certificate template has been updated to include 'Server Authentication', 'IP Security IKE intermediate' and 'Code Signing' as Application Policies so I thought I could just use this identity certificate for Code-Signing as well.  However it doesn't work and I get the message:

ciscoasa(config-webvpn)# java-trustpoint cert-auth
ERROR: trust-point <cert-auth> id-usage is not permitted for code signer.

So I followed this guide and requested a 'Code-Signing' certificate.  Everything appeared as the guide however I see this:

Certificate
  Subject Name:
    Name: ciscoasa.somedomain.local

  Status: Pending terminal enrollment
  Key Usage: General Purpose
  Fingerprint:  5dd9162d d48863d1 9d25861e 7206e749
  Associated Trustpoint: CodeSigner
ciscoasa#

When I requested a certificate via SCEP the certificate was 'pending' until it was issued from the CA.  In this case I have imported the CA certificate and the code-signing Identity certificate so I am not sure what I am missing?

Community Member

Just wanted to add that if you already have an Identity Certificate configured, you can use it as your Code Signer also. I followed the steps below (ver 8.4(3)) and the cert warning message we were getting when deploying the AnyConnect Client went away:

  •     Navigate to Configuration > Remote Access VPN > Certificate Management > Identity Certificates.
  •     Highlight the existing cert and click the Export button.
  •     Type a name, an encryption passphrase, and save the cert in PKCS12 format to your desktop.
  •     Navigate to Configuration > Remote Access VPN > Certificate Management > Code Signer.
  •     Click the Import button.
  •     Type a name (CodeSigner), the passphrase you used above, and select the cert you exported above. Click the     Import Cert button.
  •     Apply, Save
Content for Community-Ad