1. convert all certs and keys to PEM format
mkdir asa
openssl x509 -in example_com.crt \
-out asa/example_com.crt -outform pem
openssl x509 -in geotrust-intermediate-ca.crt \
-out asa/geotrust-intermediate-ca.crt -outform pem
openssl rsa -in example_com.key \
-out asa/example_com.key -outform pem
2. now bundle them into PKCS12 format
cd asa
openssl pkcs12 -export -in example_com.crt -inkey example_com.key \
-certfile geotrust-intermediate-ca.crt -out example_com.p12
# remember the password when prompted to encrypt it "Enter Export Password:"
3. now base64 encode it for the ASA
( echo -----BEGIN PKCS12-----;
openssl base64 -in example_com.p12;
echo -----END PKCS12-----; ) > example_com.pkcs12
4. Import the cert on the ASA via copy/paste from example_com.pkcs12
fw1# conf t
fw1(config)# crypto ca import example_com-trustpoint pkcs12 {password}
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
{ snip }
-----END PKCS12-----
quit
INFO: Import PKCS12 operation completed successfully
fw1(config)# exit
fw1# wr me
fw1# show crypto ca certificates
4. Enable the trustpoint on the outside interface
fw1# conf t
fw1(config)# ssl trust-point example_com-trustpoint outside
fw1(config)# exit
fw1# wr me
fw1# show ssl
5. Bounce the VPN
fw1# conf t
fw1(config)# webvpn
fw1(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
fw1(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
fw1(config)# exit
fw1# wr me
Here are some of the helpful pages I found to get the solution above:
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html#anchor10 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml https://supportforums.cisco.com/docs/DOC-13553 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704 http://www.sslshopper.com/article-most-common-openssl-commands.html http://support.citrix.com/article/CTX106630 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml
4 comments:
Thanks for the helpful and detail instructions. I have exactly the same situation, as far as I can tell: Wildcard certificate issued by GeoTrust that I am trying to import to my ASA. Unfortunately, after following all your steps, it dies at step 4, after pasting the base64 encoded pkcs12, saying simply "Import PKCS12 operation failed" I don't suppose anyone here would have any idea how to debug this? I've tried it on two of my ASA's so far, with no luck on either :(
1) confirm that the .p12 file was created correctly with the command below. Insure you enter the passphrase correctly:
openssl pkcs12 -info -in example_com.p12
2) make sure you only have "-----BEGIN PKCS12-----" and "-----END PKCS12-----" once when you copy/paste the file. You don't need it twice when you copy/paste it to the ASA.
I finally got it to import - but so far only on a brand new, unconfigured ASA. So I guess that means the .p12 file is correct. -info spits back the various certificates as well. Note that I imported it to the new ASA using ASDM, but I get the same results on my existing ASA's whether I try using ASDM, or command line as per your directions. Since it DID work on the new ASA, however, I guess that means there is SOMETHING wrong with the config on my existing ones. I made sure they were all running the same firmware version, so it can't be that.
Of course, after getting it to import on the new ASA, I discovered it may all be a moot point anyway: apparently the ASA's do not support using 4096 bit keys for SSL :P Oh well.
I had got the same problem. My old ASA just told me - ""Import PKCS12 operation failed"" and nothing more.
Then I discovered that support of sha-256 (My GeoTrust certificate uses it) appeared only in 8.2(3.9) and I had 8.2(3). After software upgrade - I can import certificate and all worked fine.
So - be more accurate with Cisco release notes =))
P.S. Thank you for your guide! =)
Post a Comment