Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
6
Replies

Single wildcard cert across multiple ASAs?

the-lebowski
Level 4
Level 4

‎11-14-2016 12:06 PM

Is this even possible?  I assume not because I have to generate the CSR on the ASA's themselves and I can't do that on everyone and use the same wildcard cert correct?  Just looking for an easy to manage ASA certs across my environment.  

Labels:
0 Helpful
6 Replies 6

Karsten Iwen
VIP
VIP

‎11-14-2016 12:43 PM

Yes, that can be done. From a security-standpoint not the best idea, but for sure easy to manage.

Do you already have that cert? You need it as a PKCS-12 file (PFX) which you can import into he ASA. If you don't have it yet, you can generate the CSR on any of the ASAs or even on a different system. I always generate my CSRs in situations like these on my Mac with OpenSSL. After getting the cert from the CA, it has to be converted to PFX which again can be done with OpenSSL.

0 Helpful

the-lebowski
Level 4
Level 4
In response to Karsten Iwen

‎11-14-2016 01:01 PM

Thanks and I tried that but get a couple errors, one when creating the PKCS file and another when I attempt to import it.

1. 4294956672:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
4294956672:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:488:

2. ERROR: Import PKCS12 operation failed. Base64 decode failed.  


No idea where or what the problem is. 

0 Helpful

Karsten Iwen
VIP
VIP
In response to the-lebowski

‎11-14-2016 01:30 PM

How do you generate the file? And when importing, do it in ASDM, that typically works better than on CLI.

0 Helpful

the-lebowski
Level 4
Level 4
In response to Karsten Iwen

‎11-15-2016 06:18 AM

I didn't, I already had a wildcard cert that I am trying to use.  Using ASDM as well but I assume something wrong with my cert/key files.  

0 Helpful

Karsten Iwen
VIP
VIP
In response to the-lebowski

‎11-15-2016 06:24 AM

do you have openSSL on your PC? Then you can at least check the file:

openssl pkcs12 -info -in file.pfx
0 Helpful

the-lebowski
Level 4
Level 4
In response to Karsten Iwen

‎11-17-2016 08:46 AM

This is what I did:

$ openssl pkcs12 -export -inkey wildcardnew-k.pem -in wildcardnew.pem -name "wildcard" -out wildcard-asa.p12
Enter pass phrase for wildcardnew-k.pem:
unable to load private key
4294956672:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
4294956672:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:488:
 
$ openssl pkcs12 -info -in wildcard-asa.p12
4294956672:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
0 Helpful
Customers Also Viewed These Support Documents