Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26273
Views
5
Helpful
17
Replies

Using own certificate on ASA for SSLVPN

Go to solution
tholmes
Level 1
Level 1

‎12-05-2010 04:44 PM

Hello,

I've searched the forum for a definative answer to this question but I'm afraid I can't find one, can someone plase help

I've a customer's ASA to which I've set up Client SSLVPN and Clientless SSLVPN.

The customer has his own certificate which he'd like to use to stop that annoying 'problem with websites security certificate' message.

The problem is that his certificate wasn't issued as a result of the ASA's CSR

Is it possible to do this and if so how please.

I told him the ASA needs to generate a CSR which is then sent to Versign (for example) who then send back a cert to add to the ASA.

But he's seen the link below...

http://http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704

I think this relates to Java and I'm not sure what step 1. is refering to:

Step 1. Export the certificate with PKCS12 file (with a private key) ????

Any help would be greatly appreciated

Regards Tony

Labels:
0 Helpful
17 Replies 17

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hooman.vejdani@cubic.com

‎08-01-2021 05:20 AM

hooman.vejdani@cubic.com the CA will never be able to send you the private key. Otherwise it wouldn't be private at all!

You need to obtain the private key from the system used to generate the CSR and combine it with the issued certificate from the CA into a PKCS#12 (*.p12) file. That p12 file (along with the GoDaddy bundle if it's not already there) can then be installed on your ASA.

Go to solution
hooman.vejdani@cubic.com
Level 1
Level 1
In response to Marvin Rhoads

‎08-02-2021 05:34 AM

Hi Marvin,

 

Thanks for your response and your help on this, I really appreciate it. I will do as per your advice. The change request related to this activity will be scheduled later this week. 

 

Regards,

Hooman

 

0 Helpful

Go to solution
mb0587
Level 1
Level 1

‎09-02-2016 02:48 PM

Hi, I had this same issue and after a lot of investigation I've made it work.

The issue is that the ASA expects to have the certificate in pkcs(.p12) format encoded with base64

you just need to take your .pfx file and encode in base64 with the following command

#openssl base64 -in xxxxx.pfx > xxxxx.base64

Then you need to open the file and add the PKCS Header and footer just copy and paste it without leaving any space.

-----BEGIN PKCS12-----
-----END PKCS12-----


The end result would be like this:

-----BEGIN PKCS12-----
yH54bCdLWTlWGhXnPC9pGpL9aXGgsmQV/odoxbEa+fZiDpLL+ZRrN2Up7onCC53l
4Qoh76ju/j9vMlRIE5bAUvMqsCl50CP//C50IuSTvBWyN1/M0RclwK4D7wtwGWfz
.................
.................
m3MylWIXt83bP45nzCqmMKc1aiOVbdQQo8M7MSUwIwYJKoZIhvcNAQkVMRYEFDLo
hsQ3m0hoYwLODqBXBpfpM7mWMDEwITAJBgUrDgMCGgUABBR1pxMEpEZwWkvnJauW
9UvnuP403wQIyRcfzvL8incCAggA
-----END PKCS12-----

Now you have your certificate ready for importing it into the ASA. Execute:

crypto ca certificate [your truspoint name you want] pkcs12 [pkcs12 password]

My example

ASA(config)# crypto ca certificate wildcard.brato.local pkcs12 1234567890
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:

-----BEGIN PKCS12-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END PKCS12-----
quit

INFO: Import PKCS12 operation completed successfully

Verify that the truspoint was created:
ASA(config)# show crypto ca trustpoints BRATO

Trustpoint BRATO:
Not authenticated.


Verify that the key was created:
ASA(config)# show crypto key mypubkey rsa | b BRATO
Key name: BRATO
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

The last step is to add the root and the intermediate certifcates to the chain. That is why you have a NOT AUTHENTICATED truspoint.
You need to encode your certificates chain with base64 again. Remember that on the certificate chain you need to form the chain in the issuing order:

CERT INTERMEDIATE
CERT ROOT1
CERT ROOT2
CERT ETC.

you will end with something like this:


-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
-----END CERTIFICATE-----

Execute:

crypto ca truspoint BRATO
enrollment terminal
exit
crypto ca authenticate BRATO
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself


MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB
....
....
MIIGDjCCA/agAwIBAgIQNoJef7WkgZN+9tFza7k8pjANBgkqhkiG9w0BAQwFADCB

Certificate has the following attributes:
Fingerprint: xxxxxxx xxxxxxxx xxxxxxx xxxxx
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported


ASA(config)# show crypto ca trustpoint BRATO
Trustpoint BRATO:
Subject Name:
cn=brato-DC-CA
dc=brato
dc=local
Serial Number: gglfshlkahfklsahflkhaslkf
Certificate configured.

0 Helpful
Customers Also Viewed These Support Documents