cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
604
Views
2
Helpful
2
Replies

Install an identity certificate on the ASA

RexPr
Level 1
Level 1

I need to import a new certificate in Cisco ASA, as already done in the past years. I have the new one from Actalis, the CSR request was created with openssl req -new -newkey rsa:2048 -nodes -keyout star.domain.it.key -out star.domain.it.csr command (not from ASA). The receive certificate star.domain.it.cer also contains the intermediate certificate.
It's a star certificate (*.domain.it) used successfully on other applications.
The cer certificate has been transformed to pkc12 using the command openssl pkcs12 -export -out star.domanin.it.pfx -inkey star.domain.it.key -in star.domain.it.cer, of course with a passphrase.
As usual i have installed the new certificate using ASDM interface, but I have the following error: ERROR: import PKC12 operation failed.

I need help to solve this issue. Thanks.

Fabrizio www.rfc.it
1 Accepted Solution

Accepted Solutions

RexPr
Level 1
Level 1

Problem solved with Cisco support.
Not clear to me what happened. I sent the pkcs12 certificate to support, they returned me a working one. They say only that the certificate was loaded in their test environment and then exported to make a new one.
I wish I had more details, but that's all I was told.

Fabrizio www.rfc.it

View solution in original post

2 Replies 2

tvotna
Spotlight
Spotlight

In general, ASDM should be able to install DER files... You can try to convert it to PEM and install from CLI:

openssl base64 -in star.domain.it.pfx -out star.domain.it.p12
crypto ca import <new-trustpoint> pkcs12 <password>

If it fails, syslog or "debug crypto ca 14" might explain what it doesn't like.

 

RexPr
Level 1
Level 1

Problem solved with Cisco support.
Not clear to me what happened. I sent the pkcs12 certificate to support, they returned me a working one. They say only that the certificate was loaded in their test environment and then exported to make a new one.
I wish I had more details, but that's all I was told.

Fabrizio www.rfc.it