Solved: Install an identity certificate on the ASA

RexPr · ‎02-07-2024

I need to import a new certificate in Cisco ASA, as already done in the past years. I have the new one from Actalis, the CSR request was created with openssl req -new -newkey rsa:2048 -nodes -keyout star.domain.it.key -out star.domain.it.csr command (not from ASA). The receive certificate star.domain.it.cer also contains the intermediate certificate.
It's a star certificate (*.domain.it) used successfully on other applications.
The cer certificate has been transformed to pkc12 using the command openssl pkcs12 -export -out star.domanin.it.pfx -inkey star.domain.it.key -in star.domain.it.cer, of course with a passphrase.
As usual i have installed the new certificate using ASDM interface, but I have the following error: ERROR: import PKC12 operation failed.

I need help to solve this issue. Thanks.

Fabrizio www.rfc.it

RexPr · ‎02-18-2024

Problem solved with Cisco support.
Not clear to me what happened. I sent the pkcs12 certificate to support, they returned me a working one. They say only that the certificate was loaded in their test environment and then exported to make a new one.
I wish I had more details, but that's all I was told.

Fabrizio www.rfc.it

View solution in original post

tvotna · ‎02-18-2024

In general, ASDM should be able to install DER files... You can try to convert it to PEM and install from CLI:

openssl base64 -in star.domain.it.pfx -out star.domain.it.p12
crypto ca import <new-trustpoint> pkcs12 <password>

If it fails, syslog or "debug crypto ca 14" might explain what it doesn't like.

RexPr · ‎02-18-2024

Problem solved with Cisco support.
Not clear to me what happened. I sent the pkcs12 certificate to support, they returned me a working one. They say only that the certificate was loaded in their test environment and then exported to make a new one.
I wish I had more details, but that's all I was told.

Fabrizio www.rfc.it

Matej612 · ‎05-27-2025

Hi,

I had same problem and this is what i've found. Maybe it is not same problem that you had, but it sounds like it is.

Problem is with the MAC (Message Authentication Code) in the certificate. SHA256 is a problem while SHA1 is not. This is solved in the newer ASA version.

You can see this with OPENSSL with option -info. For example:

in this certificate you can see that MAC is sha256 and this certificate gives an error:

[root@redhat tmp]# openssl pkcs12 -in example.crt.pfx -info -noout
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

same certificate that is imported in windows and than exported out, MAC is sha1:

[root@redhat tmp]# openssl pkcs12 -in win_export.pfx -info -noout -passin pass:<password> -passout pass:<password>
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000

you can solve this in three ways.

1. In windows make an import and export. By default windows will set SHA1, but you can choose SHA256 and as i said SHA256 will not work.

2. with openssl convert certificate to .pem and than back to .pfx or .p12, but with an option -legacy

3. with openssl convert certificate to .pem and than back to .pfx or .p12, but you define MAC to be SHA1 with an option -macalg SHA1