Hi all,

I've found that the documentation for this it is not very user friendly and you might have this issue if you cannot configure an ASA using ASDM.

I've found a lot of posts about Java issues with ASDM. One of the workarounds is to use a trusted identity certificate on the ASA. You might don't want to purchase a public SSL certificate so I offer an alternative to do it with a private one.

I will assume that you already created an internal certificate and that you also have your internal root certificate.

The internal server certificate + key is in .PFX (PKCS12) format encrypted with a password and your root certificate is a simple SSL certificate not encrypted in base64 format (PEM).

The issue is that the ASA expects to import the server certificate in pkcs(.p12) format encoded with base64

you just need to take your .pfx file and encode in base64 with the following command

#openssl base64 -in xxxxx.pfx > xxxxx.base64

Then you need to open the file and add the PKCS Header and footer just copy and paste it without leaving any space.

-----BEGIN PKCS12-----
-----END PKCS12-----

The end result would be like this:

-----BEGIN PKCS12-----
yH54bCdLWTlWGhXnPC9pGpL9aXGgsmQV/odoxbEa+fZiDpLL+ZRrN2Up7onCC53l
4Qoh76ju/j9vMlRIE5bAUvMqsCl50CP//C50IuSTvBWyN1/M0RclwK4D7wtwGWfz
.................
.................
m3MylWIXt83bP45nzCqmMKc1aiOVbdQQo8M7MSUwIwYJKoZIhvcNAQkVMRYEFDLo
hsQ3m0hoYwLODqBXBpfpM7mWMDEwITAJBgUrDgMCGgUABBR1pxMEpEZwWkvnJauW
9UvnuP403wQIyRcfzvL8incCAggA
-----END PKCS12-----

Now you have your certificate ready for importing it into the ASA. Execute:

crypto ca certificate [your truspoint name you want] pkcs12 [pkcs12 password]

My example

ASA(config)# crypto ca certificate wildcard.brato.local pkcs12 1234567890
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:

-----BEGIN PKCS12-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END PKCS12-----
quit

INFO: Import PKCS12 operation completed successfully

Verify that the truspoint was created:
ASA(config)# show crypto ca trustpoints BRATO

Trustpoint BRATO:
Not authenticated.


Verify that the key was created:
ASA(config)# show crypto key mypubkey rsa | b BRATO
Key name: BRATO
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

The last step is to add the root and the intermediate certifcates to the chain. That is why you have a NOT AUTHENTICATED truspoint.
You need to encode your certificates chain with base64 again. Remember that on the certificate chain you need to form the chain in the issuing order:

CERT INTERMEDIATE
CERT ROOT1
CERT ROOT2
CERT ETC.

you will end with something like this:

-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----

Execute:

crypto ca truspoint BRATO
enrollment terminal
exit
crypto ca authenticate BRATO
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself

MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB

Certificate has the following attributes:
Fingerprint: xxxxxxx xxxxxxxx xxxxxxx xxxxx
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

ASA(config)# show crypto ca trustpoint BRATO
Trustpoint BRATO:
Subject Name:
cn=brato-DC-CA
dc=brato
dc=local
Serial Number: gglfshlkahfklsahflkhaslkf
Certificate configured.