Importing a SSL/TLS Wildcard Certificate and Private Key from your webserver onto your Cisco ASA 5500 series firewall

Whoops! The self-signed certificate on the corporate Cisco ASA 5520 firewall expired a month ago and now it needs to be updated. However, we have a legitimate wildcard certificate issued from GeoTrust, so I figured out how to re-use that cert on the ASA by converting it with openssl into a format that it likes. Here are the steps:

1. convert all certs and keys to PEM format

    mkdir asa
    openssl x509 -in example_com.crt \
        -out asa/example_com.crt -outform pem
    openssl x509 -in geotrust-intermediate-ca.crt \
        -out asa/geotrust-intermediate-ca.crt -outform pem
    openssl rsa -in example_com.key \
        -out asa/example_com.key -outform pem

2. now bundle them into PKCS12 format

    cd asa
    openssl pkcs12 -export -in example_com.crt -inkey example_com.key \
        -certfile geotrust-intermediate-ca.crt -out example_com.p12
    # remember the password when prompted to encrypt it "Enter Export Password:"

3. now base64 encode it for the ASA

    ( echo -----BEGIN PKCS12-----;
      openssl base64 -in example_com.p12;
      echo -----END PKCS12-----; ) > example_com.pkcs12

4. Import the cert on the ASA via copy/paste from example_com.pkcs12

    fw1# conf t
    fw1(config)# crypto ca import example_com-trustpoint pkcs12 {password}

    Enter the base 64 encoded pkcs12.
    End with the word "quit" on a line by itself:
    -----BEGIN PKCS12-----
    { snip }
    -----END PKCS12-----
    INFO: Import PKCS12 operation completed successfully
    fw1(config)# exit
    fw1# wr me
    fw1# show crypto ca certificates

4. Enable the trustpoint on the outside interface

    fw1# conf t
    fw1(config)# ssl trust-point example_com-trustpoint outside
    fw1(config)# exit
    fw1# wr me
    fw1# show ssl

5. Bounce the VPN

    fw1# conf t
    fw1(config)# webvpn
    fw1(config-webvpn)# no enable outside
    WARNING: Disabling webvpn removes proxy-bypass settings.
    Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
    INFO: WebVPN and DTLS are disabled on 'outside'.
    fw1(config-webvpn)# enable outside   
    INFO: WebVPN and DTLS are enabled on 'outside'.
    fw1(config)# exit
    fw1# wr me

Here are some of the helpful pages I found to get the solution above:

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html#anchor10 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml https://supportforums.cisco.com/docs/DOC-13553 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704 http://www.sslshopper.com/article-most-common-openssl-commands.html http://support.citrix.com/article/CTX106630 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml


Israel said...

Thanks for the helpful and detail instructions. I have exactly the same situation, as far as I can tell: Wildcard certificate issued by GeoTrust that I am trying to import to my ASA. Unfortunately, after following all your steps, it dies at step 4, after pasting the base64 encoded pkcs12, saying simply "Import PKCS12 operation failed" I don't suppose anyone here would have any idea how to debug this? I've tried it on two of my ASA's so far, with no luck on either :(

tony t said...

1) confirm that the .p12 file was created correctly with the command below. Insure you enter the passphrase correctly:

openssl pkcs12 -info -in example_com.p12

2) make sure you only have "-----BEGIN PKCS12-----" and "-----END PKCS12-----" once when you copy/paste the file. You don't need it twice when you copy/paste it to the ASA.

Israel said...

I finally got it to import - but so far only on a brand new, unconfigured ASA. So I guess that means the .p12 file is correct. -info spits back the various certificates as well. Note that I imported it to the new ASA using ASDM, but I get the same results on my existing ASA's whether I try using ASDM, or command line as per your directions. Since it DID work on the new ASA, however, I guess that means there is SOMETHING wrong with the config on my existing ones. I made sure they were all running the same firmware version, so it can't be that.

Of course, after getting it to import on the new ASA, I discovered it may all be a moot point anyway: apparently the ASA's do not support using 4096 bit keys for SSL :P Oh well.

Unknown said...

I had got the same problem. My old ASA just told me - ""Import PKCS12 operation failed"" and nothing more.
Then I discovered that support of sha-256 (My GeoTrust certificate uses it) appeared only in 8.2(3.9) and I had 8.2(3). After software upgrade - I can import certificate and all worked fine.
So - be more accurate with Cisco release notes =))
P.S. Thank you for your guide! =)

Ratings and Recommendations by outbrain