Hi Jennifer,

Thanks for the prompt response and the answer, it looks like I'll need to do some back tracking with the customer!

Cheers Tony

Hi Jennifer,

I hope you can help me as I'm going around in circles with this certificate thing.

The customer has sent me 2 files

gd_iis_intermediates.p7b

and

X_web.p12

I've converted the X_web.p12 into a PEM extension, and when I look at this in a text file, I can see 2 certs, an RSA certificate starting

---BEGIN RSA PRIVATE KEY--- and another certificate starting  ---BEGIN CERTIFICATE---.

The web page  http://http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704 step 3. advises to use command line to enter the certificate but which of these 2 shown in the PEM file should I use?

Right now I only have ASDM access

I can VPN into the ASA and access the ASDM, but when I attempt to import the cert this way using paste, the paste function fails to work, right click to paste does NOT work, I can't manually enter the code as its huge!

I tried t browse for the files and it finds the 2 mentioned above but it does seem to like the format and brings up an error message, opening the cert files just seems to add them to my laptop

Any help appreciated

Regards Tony

Message was edited by: tholmes@cistek-sol.com Sorry

Hi,

You just need to import the .p12 file directly into a new trustpoint as it is on the ASDM in the identity certificate section. Only if you need to import via cli you would need to convert it to base64.

From what you have I believe the identity cert and rsa keys are in the p12 file. After you import that using the ASDM, authenticate the same trustpoint using the intermediate certs that you have. Or another way is to combine the p7 file into a single pkcs12 file using openssl and import it and be done with it once.

So important thing to note is that you can import the pkcs12 from the .p12 file directly from ASDM(not cli).

Hi Rahgovin,

Many thanks for your help, I did attempt to import the .p12 into the ASA using the ASDM but get the error message below

'ERROR: Import PKCS12 operation failed'

I'm browsing for the .p12 file, is there anything I should be doing differently?

Cheers Tony

It would be best to run a debug cry ca 255 on a console window when you try to import it and collect the debugs to see where its going wrong.

Also try adding the ca certificate into the p12 file using openssl and then importing again.

Is the p12 file already base64 encoded?You can try importing it through cli too. Please open the file in wordpad.  If it has normal

alphabetical/numerical characters is it in Base64 encoding.  If not then 
we need to convert it.  To convert to base64 we can use openssl.  Most 
Linux systems will have this installed by default, if you are in windows 
you will need to download the openssl compiled binaries.

To convert to base64 via openssl use the following command
   openssl base64 -in original.pkcs12 -out base64.pkcs12

This will convert to base64 without changing the password.

And then do a crypto ca import  pkcs12 passphrase

Hello again Rahgovin,
I'm remote from the ASA but will try to log the debug on the ASDM
Actually I do have the .p12 file as a base64, I managed to convert it to PEM format.
It shows 2 certificates.
The first starts with ---BEGIN RSA PRIVATE KEY--- and displays all the alpha/numeric characters you mention.
(are these the private keys?)
Then there is a section showing the subject, OU, CN stuff
Then there is another certificate which starts with ---BEGIN CERTIFICATE---
(I guess this is the actual certificate)
I'll try to get into the ASA CLI and enter it that way.
I'm guessing its the second certificate that I'll need to paste in
Thanks again for your input
Regards Tony

Hi tony,

You need to put in the enter file (base64) through the cli , including the key and certificate.

So when the console asks you to import the base64 pkcs12 file  put in the entire file starting from begin private key.

Hi Rahgovin,

I'm able to SSH now and use the CLI but after pasting in the entire text it still returns that operation failed error, I set up the debeg too but it doesn't show anything.

I'm thinking I'll have to ask the customer to use the ASA CSR procedure and get them to buy another cert.

I downloaded OpenSSL and have installed it but running it from a cmd prompt doesn't work, I can't find an application for it so I've hit a brick wall there

Thanks for your help though, its much appreciated

Regards Tony

Hi Rahgovin,

Thanks for all your help, it turned out the ASA didn't like the .p12 format and so exporting them to the desktop in PKCS12 format did the trick

Also I was hitting the IP address and should have been going to the URL

It;s working now thanks again for all your help

Cheers Tony

Great.You imported them via cli or ASDM finally?

Hi - I used the ASDM in the end, just needed to get the format correct, .p12

didn't work, .PKCS12 did, the INternet is confusing as it repeatedly says these are the same

Thanks for your persistence

Tony

Hello Jennifer,

I have received a zip file from Go Daddy to renew the ASA SSL AnyConnect VPN Cert. The CSR was not generated on the ASA and I assume I will need to use OpenSSL to create a PKC12# cert for been able to export it to the ASA. As per the attached image, if I am correct, the zip file contains an intermediate gd_bunddle cert (gd_bundle-g2-g1.crt), an identity cert (800d398111c571fc.crt) and a pem file (800d398111c571fc.pem). both the pem and cert files have the same text contents and starts with the '-----BEGIN CERTIFICATE-----'. my question is, wouldn't be PrivateKey.key file be needed instead of the pem file? And how do both the pem and crt files have the same contents? Do I also need to convert the pkcs12 file to pfx to export it to the ASA? 

Any help would be much appreciated. Thank you