Introduction:
This document describe the method to install certificates for WebVPN on ASA 8.4.3 using Linux (Ubuntu).
Problem:
User have been spending a lot of time trying to install his company wildcard certificate into the ASA for use with anyconnect, but been failing misserably continuously.
From his webserver he retrieved DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a wildcard certificate for mycompany.com.
The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on website: https://www.digicert.com/digicert-root-certificates.htm
with serial "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx".
On the ASA he finds that he has no trustpoint present. The commands: "sh crypto ca certificates" and "sh crypto ca trustpoints" yield no output.
Solution:
User have to create a PKCS12 Container which includes certificate, key und CA.
linux (Ubuntu)
cat DigiCertHighAssuranceEVRootCA.pem DigiCertCA.crt > root.crt
openssl pkcs12 -export -in star.mycompany.com_cert.pem -inkey star.mycompany.com_key.pem -certfile root.crt -out bundle.p12
Enter Export Password: secret
Verifying - Enter Export Password: secret
cat bundle.p12 | base64
On the ASA:
ASA(config)# crypto ca import star.mycompany.com pkcs12 secret
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
# BASE64 OUTPUT OF bundle.p12 #
quit
% The CA cert is not self-signed.
% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully
ssl trust-point star.mycompany.com outside