cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17860
Views
10
Helpful
0
Comments
Anim Saxena
Level 1
Level 1

 

Introduction:

This document describe the method to install certificates for WebVPN on ASA 8.4.3 using Linux (Ubuntu).

 

Problem:

User have been spending a lot of time trying to install his company wildcard certificate into the ASA for use with anyconnect, but been failing misserably continuously.

 

From his webserver he retrieved DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a wildcard certificate for mycompany.com.

 

The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on website: https://www.digicert.com/digicert-root-certificates.htm

with serial "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx".

 

On the ASA he finds that he has no trustpoint present. The commands: "sh crypto ca certificates" and "sh crypto ca trustpoints" yield no output.

 

cert 1.png

 

cert 2.png

 

 

Solution:

 

User have to create a PKCS12 Container which includes certificate, key und CA.

 

linux (Ubuntu)

 

cat DigiCertHighAssuranceEVRootCA.pem DigiCertCA.crt > root.crt

openssl pkcs12 -export -in star.mycompany.com_cert.pem -inkey star.mycompany.com_key.pem -certfile root.crt -out bundle.p12

 

Enter Export Password: secret

Verifying - Enter Export Password: secret

 

cat bundle.p12 | base64

 

On the ASA:

 

ASA(config)# crypto ca import star.mycompany.com pkcs12 secret

Enter the base 64 encoded pkcs12.

End with the word "quit" on a line by itself:

# BASE64 OUTPUT OF bundle.p12 #

quit

% The CA cert is not self-signed.

 

% Do you also want to create trustpoints for CAs higher in

 

% the hierarchy? [yes/no]: yes

 

INFO: Import PKCS12 operation completed successfully

 

ssl trust-point star.mycompany.com outside

 

Source Discussion:

ASA 8.4.3 Install Certificate for webvpn without CSR

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: