That's what I was worried about. If I'm not mistaken (and I easily could be!), wildcard certificate is supposed to include the private/public key pair (password protected) if you want to import it on 2nd, 3rd, etc device. Only the first device that CSR was generated on has the original public/private key pair.
I've setup a few SSL VPN boxes with wildcard certificates (required for ASA vpn load balancing), and I usually generated the key pair right on the box (IOS/ASA), then create the CSR on the box (IOS/ASA), submit it to the cert vendor, and get the CRT file from them. I think that CRT file doesn't include the key pair, because my CSR doesn't include the key pair either. I simply import the certificate and everything is working because private/public key pair is already on the box.
I suspect that since you already have this wildcard certificate, you (or someone else) must have generated the public/private key pair and the CSR on some other device already. I don't believe that you can request wildcard certificate without having a CSR, and you can't have a CSR without a public/private key pair. If that is the case, you actually need to go to that device (could be a windows server for example), or in fact any device that this wildcard certificate is already installed on, and you have to export it in PKCS12 format (.p12 extension) which will include the certificate and the private/public key pair. You can then import it to your IOS device (see #3 below).
I suspect that someone simply gave you the .CER file they received from CA. Instead, they should have exported the installed certificate from their device in PKCS12 format (.p12).
If I'm wrong, and your IOS device is the first device generating this certificate, then follow the instructions below.
By the way, I believe that you can have multiple different wildcard certificates generated based on different public/private key pairs. The question is why spend all that $
Here is what I think needs to be done if you want to generate new (and pay for it) wildcard certificate.
1. You have to generate the public/private key pair on some device first. Your IOS router could be the first device that needs the wildcard cert to generate this key pair.
hostname(config)# crypto key generate rsa label SSLVPN modulus 1024
2. Recreate trustpoint. Authenticate using ROOT CA. Genereate CSR on your IOS router (now you have to specify keypair under trustpoint).
no crypto pki trustpoint sslvpncert
crypto pki trustpoint sslvpncert
enrollment terminal
fqdn none
subject-name CN=*.company.com,OU=Department,O=Company,C=RU,St=State,L=City
revocation-check crl
rsakeypair SSLVPN
!
crypto pki authenticate sslvpncert
!
crypto pki enroll sslvpncert
3. Next you'll have to resubmit CSR to your cert vendor or to your CA. If it's your internal CA, I assume you don't have to pay. You will need to get a new certificate using the new public/private key pair. Once you get the CRT file, import it, it should work this time:
crypto pki import sslvpncert certificate
4. You're done. Now, if you want some other device on your network to use this wildcard certificate, you can export your IOS certificate to flash: using PKCS12 format:
crypto pki export sslvpncert pkcs12 flash:
It will ask you to password protect it. This certificate will include the private/public key pair that was originally generated on your IOS device. You can then use this .p12 file and import it on another device.
Please let me know if you figure this out.
Regards,
Roman
