Showing results for 
Search instead for 
Did you mean: 

Problem importing a certificate into an ASA


I have a customer who is doing something a little different than normal for me, and I'm having a problem getting this to work. He generated a certificate from another system, and has sent me the certificate which also includes the private key and CA and intermediate certs. I have the password for when this was exported. This is a little ASA-5505 running 8.2(5) that is sitting on the DMZ of a Firewall1, and there is no web access permitted to it - this is an IPSec VPN used by some phones and tablets, and they haven't wanted to upgrade to AnyConnect - it's command line only. Can anyone suggest ways I might try to import this certificate? I've exported it to a Base64. Thank you very much.

11 Replies 11



Can you enable the following debugs while importing the certificate.

debug crypto ca mess 255

debug crypto ca trans 255

and also please let me know what is the signature algorithm being used in the certificate.

Is it, SHA1,SHA2 or MD5.



I pasted in the debug commands and got nothing. Logging is enabled, and for grins it turned on "deb icmp tra", and that resulted in some lines. I was told the signature algorithm was sha-2. 

Diego Lopez


If you have a password for the certificate this is a pkcs12 cert it will include the private keys of the cert you need to import it as it is with the private keys included otherwise the ASA will not accept it since the request was not generated directly from the ASA.

Command line process:

need to create a trustpoint to import the certificate:

crypto ca trustpoint ssl-cert

enrollment terminal 


Authenticate the Trustpoint using the  the intermediate certificate

crypto ca authenticate ssl-cert 

Enter the base 64 encoded CA certificate.


Import the certificate

crypto ca import ssl-cert pkcs12 <passphrase>

<paste in the base64 encoded pkcs12>


that should do it.

Regards, please rate!

I'm just not having any success, and I've attached the information regarding the certificate below. What I've done was to authenticate the trust point using the intermediate certificate from Verisign's/Symantec's web site for a certificate type "Secure Site", which is given at That works fine, and the ASA responds with "CRYPTO_PKI: Inserted cert into list." Next, I try to import the certificate using "crpto ca import ssl-cert pkcs12 <passphrase>, which results in "-----END CERTIFICATE-----
ERROR: Import PKCS12 operation failed"

I've also tried to copy and past various part of the PKCS12 certificate relating to Symantec/Verisign as the intermediate certificate, but that hasn't helped. I'd be grateful for any more assistance.

===> Certificate information

Bag Attributes

localKeyID: 01 00 00 00
friendlyName: 627d1bd1-c529-11e5-aad8-02573e52107d
Microsoft CSP Name:
Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 10
localKeyID: 01 00 00 00 00 08 00 00 00 80 1A 05
4A 7C 44 E0 BB 62 52 E8 64 83 1C 54 2C 59 6E A9
subject=/CN=Persona Not Validated -
1453921726457/ Not Validated/OU=Symantec Trust Network
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not Validated/CN=Symantec Class 1 Individual
Subscriber CA - G5
Attributes 00 08 00 00 D6 54 F1 11 75 B4 B3 F7 5F AD 34 CF 66
E0 A3 9A
friendlyName: VeriSign 55 19 B2 78 AC B2 81 D7 ED A7 AB C1 83 99 C3 BB 69 04 24
B5 30 14 06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05 05 07 03 04 CB B5 AF 18 5E 94 2A 24 02 F9 EA CB C0 ED 5B B8 76 EE A3 C1 22 36 23 D0 04 47 E4 F3 BA 55 4B 65
subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 1 Public Primary Certification Authority - G3
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority
- G3
Bag Attributes 00 08 00 00 67 19 B6 3D A5 79 BB 33 60 D8 2D 53 D3 8C 09 3D 07 AC
18 70
subject=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not Validated/CN=Symantec Class 1
Individual Subscriber CA - G5
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For
authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority - G3


Hi, I had this same issue and after a lot of investigation I've made it work.

The issue is that the ASA expects to have the certificate in pkcs(.p12) format encoded with base64

you just need to take your .pfx file and encode in base64 with the following command

#openssl base64 -in xxxxx.pfx > xxxxx.base64

Then you need to open the file and add the PKCS Header and footer just copy and paste it without leaving any space.

-----BEGIN PKCS12-----
-----END PKCS12-----

The end result would be like this:

-----BEGIN PKCS12-----
-----END PKCS12-----

Now you have your certificate ready for importing it into the ASA. Execute:

crypto ca certificate [your truspoint name you want] pkcs12 [pkcs12 password]

My example

ASA(config)# crypto ca certificate wildcard.brato.local pkcs12 1234567890
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:

-----BEGIN PKCS12-----
-----END PKCS12-----

INFO: Import PKCS12 operation completed successfully

Verify that the truspoint was created:
ASA(config)# show crypto ca trustpoints BRATO

Trustpoint BRATO:
Not authenticated.

Verify that the key was created:
ASA(config)# show crypto key mypubkey rsa | b BRATO
Key name: BRATO
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

The last step is to add the root and the intermediate certifcates to the chain. That is why you have a NOT AUTHENTICATED truspoint.
You need to encode your certificates chain with base64 again. Remember that on the certificate chain you need to form the chain in the issuing order:


you will end with something like this:



crypto ca truspoint BRATO
enrollment terminal
crypto ca authenticate BRATO
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself


Certificate has the following attributes:
Fingerprint: xxxxxxx xxxxxxxx xxxxxxx xxxxx
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

ASA(config)# show crypto ca trustpoint BRATO
Trustpoint BRATO:
Subject Name:
Serial Number: gglfshlkahfklsahflkhaslkf
Certificate configured.

Shakti Kumar
Cisco Employee
Cisco Employee

Hi ,

If the signature algorithm is SHA-2 you cannot have the certificate installed on the ASA on code 8.2(5) and that i because of the below bug

Once you upgrade the code to the fixed version , it should be good.

Hope that helps



Alex Pfeil
Rising star
Rising star

I imported an existing .pem file into Internet Explorer (IE) and made sure that the private key was exportable. I then exported the certificate and key with the DES encryption (not AES), and imported it into the ASA.  I know that you can make changes with OpenSSL as well, but IE was an easy method for me.

I recently imported a new certificate and key into IE and made sure the key was set to exportable. I exported the certificate and key as DES and it worked again. I just wanted to post an update that this process still works.

I thought I would share I ran into the same problem on a FTD. When you go to export the pkcs12 file, the private key has to be set to 3DES-SHA1 as the encryption (from windows box). I did this the first time with AES256-AES256 encryption and the FTP would error out with the original error in the post. Once I changed it to 3DES-SHA1 it worked without any additional problems. Im surprised that the ASA/FTD dosent support higher encryption standards. It might be a version specific thing where the IOS needs to be upgraded, but I didnt look that far into it as changing to 3DES-SHA1 fixed the issue. 


FYI ~> we had that same issue but in our case, was related to - somehow - "corrupted" Key passphrase.

When it was re-issued with changed passphrase, it worked like a charm !


This issue presents itself when an RSA keypair is used with the certificate. On ASA versions from 9.4(1) onwards, all the ECDSA and RSA ciphers are enabled by default and the strongest cipher (usually an ECDSA cipher) will be used for negotiation. If this happens, the ASA presents a Self-Signed certificate instead of the currently configured RSA-based certificate. There is an enhancement in place to change the behaviour when an RSA-based certificate is installed on an interface and is tracked by Cisco bug ID CSCuu02848.

Recommended Action: Disable ECDSA ciphers with these CLI commands:

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:
Or, with the ASDM, navigate toConfiguration > Remote Access VPN > Advanced, and chooseSSL Settings. Under the Encryption section, select tlsv1.2 Cipher version and edit it with the custom string AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5

Appendix A: ECDSA or RSA
The ECDSA algorithm is a part of the Elliptic curve cryptography (ECC) and uses an equation of an elliptic curve to generate a Public Key whereas the RSA algorithm uses the product of two primes plus a smaller number to generate the Public Key. This means that with ECDSA the same level of security as RSA can be achieved, but with smaller keys. This reduces computation time and increases the connection times for sites that use ECDSA certificates.

The document on Next Generation Cryptography and the ASA provides more in-depth information.

Appendix B: Use OpenSSL to Generate a PKCS12 Certificate from an Identity Certificate, CA Certificate, and Private Key
Verify that the OpenSSL is installed on the system that this process is run on. For Mac OSX and GNU/Linux users, this will be installed by default.
Switch to a working directory.
On Windows: By default, the utilities are installed in C:\Openssl\bin. Open a command prompt in this location.

On Mac OSX/Linux: Open the Terminal window in the directory needed to create the PKCS12 certificate.

In the directory mentioned in the previous step, save the private key (privateKey.key), identity certificate (certificate.crt) and root CA certificate chain (CACert.crt) files.
Combine the private key, identity certificate and the root CA certificate chain into a PKCS12 file. Enter a passphrase to protect your PKCS12 certificate.

strong> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Convert the PKCS12 certificate generated to a Base64 encoded certificate:
openssl base64 -in certificate.pfx -out certificate.p12
Next, import the certificate that was generated in the last step for use with SSL.



Rachel Gomez

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers