This is a quick and dirty method to importing an existing SSL certificate into a Cisco ASA for use with the SSL Anyconnect VPN.
Firstly, you need to have an existing SSL certficiate+CA chain+private key contained in a binary PFX file with a password. The file cannot have an empty password!
Once you have your standard password protected PFX you need to base64 encode it as below
openssl base64 -in another.pfx -out another.cert
This will give you a base64 encoded pkcs12.
Now, configure the certificate chain
asa-gw(config)# crypto ca trustpoint vpn.mydomainname.tld asa-gw(config-ca-trustpoint)# keypair vpn.mydomainname.tld asa-gw(config-ca-trustpoint)# crl configure asa-gw(config-ca-crl)# exit asa-gw(config-ca-trustpoint)# enrollment terminal
Finally, import the certificate and manually place the pcks12 tags at the star and end (you can copy them from below)
crypto ca import vpn.mydomainname.tld pkcs12 mypassword Enter the base 64 encoded pkcs12. End with the word "quit" on a line by itself: -----BEGIN PKCS12----- MIIhiQIBAzCCIU8GCSqGSIb3DQEHAaCCIUAEgiE8MIIhODCCF28GCSqGSIb3DQEH BqCCF2AwghdcAgEAMIIXVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIRg3L X+A8IlUCAggAgIIXKNvEgvyFJOB6/LCjBL/7HNBgDadJWrL3cb4DeBvqMxzQlbkV Tkpz7PtHABv39na2xX0JGi6rIgqzB1KECs2d6E5pGPNK//A85vm4ZFSollLxPZcr ----SNIP---- W6I36+3V/I2c34SSavjmTn2232mk/w+QSJBIoVMJeTrGxlpwJyHRtkb6KfCtcp5T Ye3NMSUwIwYJKoZIhvcNAQkVMRYEFF39ORVVeBJRzVyfnaRePRclYKG8MDEwITAJ BgUrDgMCGgUABBRHuopbW2mBfKvP9R2CB5YNE5o4YQQIRrtNmIgiMBUCAggA -----END PKCS12----- quit % You already have RSA or ECDSA keys named vpn.mydomainname.tld. % If you replace them, all device certs issued using these keys % will be removed. % Do you really want to replace them? [yes/no]: yes % The CA cert is not self-signed. % Do you also want to create trustpoints for CAs higher in % the hierarchy? [yes/no]: yes INFO: Import PKCS12 operation completed successfully
Make sure you have the line below present
ssl trust-point vpn.mydomainname.tld
If you get an error about a 4096 key, well I’m sorry but that’s the end of the road, you need to regenerate with a 2048 key as at the time of writing this even the latest versions of the ASA OS do not support SSL keys greater than 2048.
In some cases you might need to disable and reneable webvpn to get it going again, i.e.
asa-gw(config)# webvpn asa-gw(config-webvpn)# no enable outside WARNING: Disabling webvpn removes proxy-bypass settings. Do not overwrite the configuration file if you want to keep existing proxy-bypass commands. INFO: WebVPN and DTLS are disabled on 'outside'. asa-gw(config-webvpn)# enable outside