Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Importing certificates on a PIX

I am doing some lab work with PIX version 7.22 and wildcard certificates. I have installed a certificate on a Microsoft IIS server and then exported this as a .pfx file. I have then converted this file to a PKCS12 formatted .pem file using openssl.

If I import this file onto an ACS server everything is fine and the certificate is installed, however if I try to import the PKCS12 file to a PIX running version 7.22 using the command CRYPTO CA IMPORT TEST.COM PKCS12 PASSWORD and then paste the PKCS12 text into the console I get the following message - ERROR: Unable to convert the base 64 encoded pkcs12.

If I edit the PKCS12 file and only keep the entries between the dashed lines I get this message - ERROR: Import PKCS12 operation failed.

If I copy the .pfx file that I exported from the IIS server onto the flash card of a 2600 router and enter the command CRYPTO CA IMPORT *.TEST.COM PKCS12 FLASH:PKCS12.pfx PASSWORD the import works. If I try to cut and paste the PKCS12 text using the command CRYPTO CA IMPORT *.TEST.COM PKCS12 TERMINAL PASSWORD it fails.

Unfortunately the PIX doesn't appear to have the ability to import from a .pfx file.

I have even tried the ASDM on the PIX but it still doesn't work.

Can anyone help me to import this certificate?

I have searched the net to see if I need to format the file in some way or change the conversion but I can't find anything.

I know the PKCS12 file is OK because the ACS server imports it without a problem, and I know the .pfx is OK because the router imports it without a problem.

Any help would be very much appreciated.


Re: Importing certificates on a PIX

it might be because the key from the PIX don't match the one in the certificate.

Try to re-enroll the certificate with your CA.

refer this link: