This document describe the method to install certificates for WebVPN on ASA 8.4.3 using Linux (Ubuntu).
User have been spending a lot of time trying to install his company wildcard certificate into the ASA for use with anyconnect, but been failing misserably continuously.
From his webserver he retrieved DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a wildcard certificate for mycompany.com.
The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on website: https://www.digicert.com/digicert-root-certificates.htm
with serial "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx".
On the ASA he finds that he has no trustpoint present. The commands: "sh crypto ca certificates" and "sh crypto ca trustpoints" yield no output.
User have to create a PKCS12 Container which includes certificate, key und CA.
cat DigiCertHighAssuranceEVRootCA.pem DigiCertCA.crt > root.crt
openssl pkcs12 -export -in star.mycompany.com_cert.pem -inkey star.mycompany.com_key.pem -certfile root.crt -out bundle.p12
Enter Export Password: secret
Verifying - Enter Export Password: secret
cat bundle.p12 | base64
On the ASA:
ASA(config)# crypto ca import star.mycompany.com pkcs12 secret
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
# BASE64 OUTPUT OF bundle.p12 #
% The CA cert is not self-signed.
% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully
ssl trust-point star.mycompany.com outside
ASA 8.4.3 Install Certificate for webvpn without CSR
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: