This is a quick and dirty method to importing an existing SSL certificate into a Cisco ASA for use with the SSL Anyconnect VPN.

Firstly, you need to have an existing SSL certficiate+CA chain+private key contained in a binary PFX file with a password. The file cannot have an empty password!

Once you have your standard password protected PFX you need to base64 encode it as below

openssl base64 -in another.pfx -out another.cert

This will give you a base64 encoded pkcs12.

Now, configure the certificate chain

asa-gw(config)# crypto ca trustpoint vpn.mydomainname.tld
asa-gw(config-ca-trustpoint)#  keypair vpn.mydomainname.tld
asa-gw(config-ca-trustpoint)#  crl configure
asa-gw(config-ca-crl)# exit
asa-gw(config-ca-trustpoint)# enrollment terminal

Finally, import the certificate and manually place the pcks12 tags at the star and end (you can copy them from below)

crypto ca import vpn.mydomainname.tld pkcs12 mypassword

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIIhiQIBAzCCIU8GCSqGSIb3DQEHAaCCIUAEgiE8MIIhODCCF28GCSqGSIb3DQEH
BqCCF2AwghdcAgEAMIIXVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIRg3L
X+A8IlUCAggAgIIXKNvEgvyFJOB6/LCjBL/7HNBgDadJWrL3cb4DeBvqMxzQlbkV
Tkpz7PtHABv39na2xX0JGi6rIgqzB1KECs2d6E5pGPNK//A85vm4ZFSollLxPZcr
----SNIP----
W6I36+3V/I2c34SSavjmTn2232mk/w+QSJBIoVMJeTrGxlpwJyHRtkb6KfCtcp5T
Ye3NMSUwIwYJKoZIhvcNAQkVMRYEFF39ORVVeBJRzVyfnaRePRclYKG8MDEwITAJ
BgUrDgMCGgUABBRHuopbW2mBfKvP9R2CB5YNE5o4YQQIRrtNmIgiMBUCAggA

-----END PKCS12-----
quit
% You already have RSA or ECDSA keys named vpn.mydomainname.tld.
% If you replace them, all device certs issued using these keys
% will be removed.
% Do you really want to replace them? [yes/no]: yes
% The CA cert is not self-signed.

% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully

Make sure you have the line below present

ssl trust-point vpn.mydomainname.tld

If you get an error about a 4096 key, well I’m sorry but that’s the end of the road, you need to regenerate with a 2048 key as at the time of writing this even the latest versions of the ASA OS do not support SSL keys greater than 2048.

In some cases you might need to disable and reneable webvpn to get it going again, i.e.

asa-gw(config)# webvpn
asa-gw(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
asa-gw(config-webvpn)# enable outside