Has anyone ever tried to export an identity certificate from an ASA unit for import into IIS? Running 8.2(1) and ASDM 6.3(1).
Via the ASDM, I've tried to export the cert in either PKCS12 or PEM format but I can get neither working. When trying to import the PKCS12 exported file directly into the Windows certificate store, I run into errors about the passphrase being incorrect. I've also tried to export into PEM format, but when I use OpenSSL to try and convert it to PKCS12, the OpenSSL client gives me an error message stating that it's "unable to load the private key".
Thanks for any guidance/help.
Thanks that makes sense. I think you're running into a couple of issues:
1. When you export the cert as PKCS12, it is encoded in base64 and includes the private key. However, the Windows cert store doesn't support this format, so you'd need to use OpenSSL to strip this information out. This is from the Windows help file on Certificates:
The Base64 format supports storage of a single certificate. This format does not support storage of the private key or certification path.
2. When you tried to export the PEM cert from ASDM, the certificate was probably still exported as base64 PKCS12. This is due to the ASDM bug CSCtf25281 (fixed in a future ASDM 6.4 release).
In my tests, the PKCS12 import fails from both the CLI and ASDM since the exported cert includes the private key. PEM import when the cert is exported via the CLI works just fine, but when I export the cert via ASDM it is still exported as PKCS12 due to the above bug.
Try exporting the cert with the 'crypto ca export identity-certificate' command from the CLI and that should work just fine. Otherwise, you'll need to open the cert with OpenSSL first:
Convert from base64 to binary:
openssl base64 -in pkcs12-1.txt -d -out pkcs12-1.bin
View the exported cert:
openssl pkcs12 -in pkcs12-1.bin
Hope that helps.