Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
15
Helpful
7
Replies

Cisco VPN 3000 Certificate , is it compatible with ASA5500

dumlutimuralp
Level 1
Level 1

‎01-08-2010 02:29 AM

Hi all,

We would like to export SSL Cert from VPN 3000 and import it to ASA5540. However we are receiving the error ""import pkcs12 operation failed" is it possible to overcome this issue ? Or the formats of VPN3000 and ASA  is incompatible ? I though the SSL Certificate is in a standard format ?

Thanks in advance.

Labels:
0 Helpful
7 Replies 7

Joe B Danford
Cisco Employee
Cisco Employee

‎01-08-2010 05:37 AM

You will have to convert the file first. This can be done with openssl. Here are the instructions.

Export the certificate from the VPN3K. Reatin the password that is used. You should have something that looks like this in the export file.

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICjDCCAfUCBD9KXjIwD....

-----END ENCRYPTED PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIICjDCCAfUCBD9KXjIwD....
-----END CERTIFICATE-----

Copy these to two separate files, one named cert.txt and one named key.txt and then follow the instructions below.

=========================================================================
Copy your key and cert into two separate files (key.txt and cert.txt).  Make sure these files are accessible from OpenSSL. From there, do the following two commands:

1. Combine the key and cert into a pkcs12 (this uses "cisco" as a password for both).  -passin must be the password used when exporting the VPN3k cert.

openssl pkcs12 -in cert.txt -inkey key.txt -nodes -passin pass:cisco -passout pass:cisco -export -out sslout.p12

2. Convert the output file to base64.

openssl base64 -in sslout.p12 -out ssl64.p12

3. Now import the ssl64.p12 file by pasting into ASA after using the command:

Crypto ca import pkcs12 passphrase

Make sure you also have the CA cert imported.

dumlutimuralp
Level 1
Level 1
In response to Joe B Danford

‎01-08-2010 06:07 AM

Thank you so much. Im gonna give it a try.

Cheers.

0 Helpful

dumlutimuralp
Level 1
Level 1
In response to dumlutimuralp

‎01-08-2010 06:20 AM

Hi again,

The thing is when we export the cert from VPN3000, we have one private key and three certificate keys below. I guess the cert we have got the full chain.

It is like

-- Begin Private key---

---End Private key---

-- Begin certificate key---

---End certificate key---

-- Begin certificate key---

---End certificate key---

-- Begin certificate key---

---End certificate key---

So I guess the one right below the private key is our VPN3000s certificate ?? you got any idea ?

0 Helpful

Joe B Danford
Cisco Employee
Cisco Employee
In response to dumlutimuralp

‎01-08-2010 07:41 AM

Honestly Im not sure. My guess is the last one.

Joe B Danford
Cisco Employee
Cisco Employee
In response to dumlutimuralp

‎01-08-2010 07:42 AM

You should be able to tell once you convert it by opening it up. You can always import into the ASA and check it though.

dumlutimuralp
Level 1
Level 1

‎01-08-2010 07:46 AM

Hi Joe,

Thanks a lot. Appreciate it. Ive gone with the first one and I got it in the first try

Cheers

0 Helpful

Joe B Danford
Cisco Employee
Cisco Employee
In response to dumlutimuralp

‎01-08-2010 07:49 AM

Awesome!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents