Right, your discribing is absolutely correct!

I have chain of three .crt certificate generated by SSL service provider including usertrust, domaintrust and wildcard, without any rsa or privat key, but I do not know the way of genereating CSR.

Nevertheless, on ASA device available RSA keypair for previous trustpoint ASDM_Trustpoint8. As I understood, I have an issue exact with privat_key missing.

If you check link I share you see the way to use openssl to generate csr 

MHM

Got it, thank you!

You are so so welcome 

MHM

Just to clarify this a bit more. You can import a root CA and an intermediate CA certs on the ASA without generating any CSR because generating the CSR for those is not required. However, if you want to import an identity certificate to the ASA like the one that you will be using for the VPN, then generating the CSR would be required.

Now the CSR could be generated on the ASA itself simply because it is supported, or it could be generated out of the box, usually we generate it out of the box when the the device does not support generating the CSR.

Assuming that the CSR is generated on the ASA, once you have the CSR generated it you hand it over to the certificates team to issue the identity cert, and then once they share the identity cert with you you import it to the ASA. On the other side if you generate the CSR out of the box, then you need to import the private key that was associated with the CSR alongside the identity certificate.

Please notice that on the last screenshot you shared it shows that the VPN certificates used on the ASA are associated to two different trust points and probably each trust point has a different RSA keypair associated. This leads me to think that maybe this VPN certificate was "renewed" simply by going through the same process as a new certificate without relying on any previous data such as a keypair and not even using the same CSR.

Please try to follow these steps and see if it works:

1) Create a new RSA keypair:
crypto key generate rsa label < any name > modulus 2048

2) Create a new trust point:
crypto ca trustpoint < any name >
   subject-name
      cn=< value >,o=< value >,ou=< value >,st=< value >,c=< value > (you can take these values from the current cert)
   keypair < reference the keypair name you created in step 1 >
   fqdn < your VPN portal FQDN, you can use wildcard here if you want >
   enrollment terminal

3) Generate the CSR:
crypto ca enroll < reference the trust point name you created in step 2 >
Confirm that you want to continue
Respond no to the serial number question
Respond yes to the Display Certificate Request to the terminal

At this point you should see the CSR on the terminal. Copy that and save it in a text file and hand it over to the certificates team to issue the identity certificate, I would ask them to provide it in PEM format.

Once you get the new cert open it with a text editor and go back to the ASA CLI and issue the command "crypto ca authenticate < reference the trust point name you created in step 2 >" then copy the cert from the text editor and paste it to the ASA terminal and type "quit" on the next line after "---END CERTIFICATE---.

Finally you need to switch the outside interface to the new trust point, you can do that with the command "ssl trust-point < reference the trust point name you created in step 2 > outside". I assumed the outside interface is called "outside". If it's called with a different name then please use that.

https://www.tunnelsup.com/adding-a-wildcard-ssl-certificate-to-a-cisco-asa/

check this how you can add wildcard cert in ASA 

MHM

Ок, got it, thanks..

I think this is the issue, I do not have a private key, all I received from the cert-team is an archive with certificates but not a private key, can they get it by contacting the service that issued the certificate or can I generate it based on existing certificates?

it sounds like you're facing a common issue when trying to install a certificate on a Cisco ASA that wasn't originally generated on that device. as mentioned by @Aref Alsouqi  her are some guidance from me:

-You have a chain of certificates issued by a third-party provider, including a wildcard certificate for your domain.

-You don't have the private key associated with these certificates.

-The ASA is giving errors when you try to import the certificates, likely because it doesn't have the matching private key.

To resolve this, you have a few options:

1. Generate a new CSR on the ASA:
   This is the recommended approach. You'll need to:

• Create a new RSA key pair on the ASA
• Generate a CSR using this key pair
• Submit the CSR to your certificate authority to get a new certificate
• Install the new certificate on the ASA

1. Obtain the private key:
   If the certificate was generated outside the ASA, you need to obtain the private key that was used to create the CSR. The certificate team or whoever originally requested the certificate should have this. Without the private key, you cannot use this certificate on the ASA.
2. Use PKCS12 format:
   If you can get a PKCS12 (.pfx or .p12) file that includes both the certificate and the private key, you can import this directly into the ASA.

Given your situation, here's what I recommend:

1. Contact your certificate team and ask if they have the private key associated with the wildcard certificate.
2. If they don't have the private key, you'll need to generate a new CSR on the ASA and request a new certificate.
3. To generate a new CSR on the ASA, follow these steps:

   crypto key generate rsa label VPN-KEY modulus 2048
   
   crypto ca trustpoint VPN-TRUSTPOINT
     enrollment terminal
     subject-name CN=*.yourdomain.com
     keypair VPN-KEY
   
   crypto ca enroll VPN-TRUSTPOINT
   

    Follow the prompts, and at the end you'll get the CSR text. Send this to your certificate authority to get a new certificate.

4. Once you have the new certificate, you can install it using:

   crypto ca authenticate VPN-TRUSTPOINT
   (Paste the CA certificate here)
   
   crypto ca import VPN-TRUSTPOINT certificate
   (Paste the new certificate here)
   

5. Finally, apply the new certificate to your VPN interface

   ssl trust-point VPN-TRUSTPOINT outside
   ​

   Remember, you cannot use a certificate on the ASA without its corresponding private key. If you can't get the private key for your existing certificates, generating a new CSR and certificate is your best option. Hope this helps you.

You're welcome. The private key would be owned by the team who generated the CSR of this certificate. It could be stored securely at somewhere from the previous renewal, someone must have it. This wildcard cert would also be installed somewhere else in your company right? I would ask the other teams in the business and see if they could export the private key from somewhere. Alternatively ask the certificate provider to send it to you in a PKCS12 file, that file will then include the certificate itself, root CA, sub CA if used and the private key. Once you have the PKCS12 file you can just import to the ASA.