Cisco VPN 3000 Certificate , is it compatible with ASA5500

Unanswered Question
Jan 8th, 2010
User Badges:

Hi all,


We would like to export SSL Cert from VPN 3000 and import it to ASA5540. However we are receiving the error ""import pkcs12 operation failed" is it possible to overcome this issue ? Or the formats of VPN3000 and ASA  is incompatible ? I though the SSL Certificate is in a standard format ?


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Joe B Danford Fri, 01/08/2010 - 05:37
User Badges:
  • Cisco Employee,

You will have to convert the file first. This can be done with openssl. Here are the instructions.



Export the certificate from the VPN3K. Reatin the password that is used. You should have something that looks like this in the export file.


-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICjDCCAfUCBD9KXjIwD....


-----END ENCRYPTED PRIVATE KEY-----


-----BEGIN CERTIFICATE-----
MIICjDCCAfUCBD9KXjIwD....
-----END CERTIFICATE-----




Copy these to two separate files, one named cert.txt and one named key.txt and then follow the instructions below.


=========================================================================
Copy your key and cert into two separate files (key.txt and cert.txt).  Make sure these files are accessible from OpenSSL. From there, do the following two commands:


1. Combine the key and cert into a pkcs12 (this uses "cisco" as a password for both).  -passin must be the password used when exporting the VPN3k cert.


openssl pkcs12 -in cert.txt -inkey key.txt -nodes -passin pass:cisco -passout pass:cisco -export -out sslout.p12



2. Convert the output file to base64.


openssl base64 -in sslout.p12 -out ssl64.p12



3. Now import the ssl64.p12 file by pasting into ASA after using the command:


Crypto ca import pkcs12 passphrase


Make sure you also have the CA cert imported.

dumlutimuralp Fri, 01/08/2010 - 06:20
User Badges:

Hi again,


The thing is when we export the cert from VPN3000, we have one private key and three certificate keys below. I guess the cert we have got the full chain.


It is like


-- Begin Private key---

---End Private key---


-- Begin certificate key---

---End certificate key---


-- Begin certificate key---

---End certificate key---


-- Begin certificate key---

---End certificate key---


So I guess the one right below the private key is our VPN3000s certificate ?? you got any idea ?

Joe B Danford Fri, 01/08/2010 - 07:41
User Badges:
  • Cisco Employee,

Honestly Im not sure. My guess is the last one.

Joe B Danford Fri, 01/08/2010 - 07:42
User Badges:
  • Cisco Employee,

You should be able to tell once you convert it by opening it up. You can always import into the ASA and check it though.

dumlutimuralp Fri, 01/08/2010 - 07:46
User Badges:

Hi Joe,


Thanks a lot. Appreciate it. Ive gone with the first one and I got it in the first try


Cheers

Actions

This Discussion