Solved: Re: SSL Certificate *renewal* instructions - Page 2

John Hinckley · ‎08-28-2017

I can't seem to find clear instructions for installing a RENEWED ssl certificate on an ASA. All of the instructions I see talk about generating the CSR from the ASA but what about when a customer renews their SSL cert through a popular vendor such as GoDaddy or DigiCert? They are not using a CSR generated by the ASA so how in the heck do I get the new cert installed??

Also, nobody (and I mean nobody) has been able to demonstrate how to install a wildcard cert to an ASA. The ASA will not allow an asterisk (*) as part of the FQDN or CN.

Please don't just post some link to a cisco doc, *explain* it to me because I guarantee I've already read any cisco doc you are about to link.

As you can imagine, I'm very frustrated at this point.

Thanks,

John

Leonterry · ‎01-08-2021

Do we also need to update the Client Service with the new trustpoint?

crypto ikev2 remote-access NewTruspoint OUTSIDE

Francesco Molino · ‎01-11-2021

You don't need to update anything else except the trustpoint.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

dburchfield · ‎11-23-2021

What if the original private key was generated with a cert request on a different machine?

infrateam · ‎03-07-2018

Thank you John and Marvin for firstly the excellent first post stating exactly what is needed and secondly to Marvin for taking it onboard and responding with the concise help!

I did look for this earlier in the week and the Cisco documentation doesn't give these instructions or notes at all... I knew that regenerating a CSR was not the right way to go.

I thought I'd add some additional info in case anyone needs it.

After downloading your renewed SSL cert bundle from your cert authority, here's the steps you need to get the PFX file that you can then import into your ASA via ASDM:

1. You might need to create a cert 'bundle' if your CA has given you the server cert and separate root and intermediate certs. You do this by opening up all of the files with a text editor and making a new notepad file. Copy and paste everything from each cert into the one file. The server cert is first, followed by the intermediate and then root certs. Save the new file as .crt like the others and it should open in windows fine.

2. Use a linux shell with openssl (I use windows bash.exe for this) and create the pfx file. You need the 2 files that are 1) your certs private key file and 2) the new cert bundle you just created (you will be asked to set a password for it)::

openssl pkcs12 -export -out new-asa.pfx -inkey private.key -in bundled.crt

3. now you can import the pfx into the ASA using the password. I actually created a new trustpoint, since the private key was being imported again.. although I'm not sure if I could have re-used the same trustpoint as before.

:)

bstax · ‎12-20-2019

Have you seen this: https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html

bstax · ‎12-20-2019

NOTE - you might need to take IMMEDIATE ACTION if you have a self-signed cert on an iOS device!
There are three workarounds to replace self-signed certificates on Cisco IoS devices at this link: https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html

(link posted 17-December notifying of the inability to replace self-signed certificates on particular IoS devices if one does not take IMMEDIATE action. As of 01-Jan-2020, any device for which a self signed cert has NOT been replaced will apparently no longer allow the device admin to replace the cert and it will be forever locked. Ouch - thank you for the short notice.

Marvin Rhoads · ‎12-20-2019

This thread was all about Cisco ASA certificates which are NOT affected at all by the advisory.

Almost nobody running an IOS-based SSL VPN headend uses the certificates self-signed by the device. In fact, I've not encountered a single one in over a decade of deploying customer networks. If they are, they are already accepting an insecure self-signed certificate and after the new year will be accepting an insecure self-signed expired certificate (or will have to create a CSR and install a proper CA-signed certificate as they should have done all along).

kostasthedelegate · ‎07-15-2020

Hello,

I will install a new cert with the process you suggest @Marvin Rhoads
The existing cert expires at 21/7.
If I assign the new one to the interface, will I have downtime for the users connected to VPN who use this cert?
What do you suggest?

Also is there a similar guide for the process through CSM?? It would be highly appreciated!

Thanks and regards,
Konstantinos

Marvin Rhoads · ‎07-15-2020

Assigning the new certificate won't cause downtime - as long as it is one that's trusted by the clients.

I've only very rarely used CSM and not for a long time. I'm not sure how or if we can do this using that tool.

Serpent2010 · ‎12-01-2023

Hi Marvin,

I have a question, in the process of renew the ASA ID certificate, it is stated that you may select pair key from the dropdown list or if you dont have one simply click "New" to generate a new pair. my question is which option is better? why? and how I know which pair key to select from the dropdown list as I have many in the list?

Marvin Rhoads · ‎12-03-2023

If you are creating a new CSR, it doesn't hurt to just create a new key pair. You might give it a unique human-readable name to avoid such confusion in the future. Once you have replaced the certificate with the newly issued one, it is OK to remove any old identity certificates and associated key pairs.

Serpent2010 · ‎12-04-2023

Thanks