subject-name cn=*.company.com,etc (<== whatever the subject name that was used for creating your wildcard cert)
crypto pki authenticate sslvpncert
If your Comodo's CER file is in DER format (not BASE64), you can simply export COMODO's root certificate from Internet Explorer using BASE64 format
crypto pki import sslvpncert certificate
If I'm not mistaken, you need the PKCS12 certificate that includes the private/public key pair in it (since you are using a wildcard certificate). Normally, you'd create private/public key pair in IOS, generate CSR and then submit it to cert vendor, but in your case your certificate should include the key pair. I don't remember if that can be included with a BASE64 CRT file, or if you need PKCS12 file (.p12 extension). You are probably ok with your CRT file.
That's what I was worried about. If I'm not mistaken (and I easily could be!), wildcard certificate is supposed to include the private/public key pair (password protected) if you want to import it on 2nd, 3rd, etc device. Only the first device that CSR was generated on has the original public/private key pair.
I've setup a few SSL VPN boxes with wildcard certificates (required for ASA vpn load balancing), and I usually generated the key pair right on the box (IOS/ASA), then create the CSR on the box (IOS/ASA), submit it to the cert vendor, and get the CRT file from them. I think that CRT file doesn't include the key pair, because my CSR doesn't include the key pair either. I simply import the certificate and everything is working because private/public key pair is already on the box.
I suspect that since you already have this wildcard certificate, you (or someone else) must have generated the public/private key pair and the CSR on some other device already. I don't believe that you can request wildcard certificate without having a CSR, and you can't have a CSR without a public/private key pair. If that is the case, you actually need to go to that device (could be a windows server for example), or in fact any device that this wildcard certificate is already installed on, and you have to export it in PKCS12 format (.p12 extension) which will include the certificate and the private/public key pair. You can then import it to your IOS device (see #3 below).
I suspect that someone simply gave you the .CER file they received from CA. Instead, they should have exported the installed certificate from their device in PKCS12 format (.p12).
If I'm wrong, and your IOS device is the first device generating this certificate, then follow the instructions below.
By the way, I believe that you can have multiple different wildcard certificates generated based on different public/private key pairs. The question is why spend all that $
Here is what I think needs to be done if you want to generate new (and pay for it) wildcard certificate.
1. You have to generate the public/private key pair on some device first. Your IOS router could be the first device that needs the wildcard cert to generate this key pair.
3. Next you'll have to resubmit CSR to your cert vendor or to your CA. If it's your internal CA, I assume you don't have to pay. You will need to get a new certificate using the new public/private key pair. Once you get the CRT file, import it, it should work this time:
crypto pki import sslvpncert certificate
4. You're done. Now, if you want some other device on your network to use this wildcard certificate, you can export your IOS certificate to flash: using PKCS12 format:
crypto pki export sslvpncert pkcs12 flash:
It will ask you to password protect it. This certificate will include the private/public key pair that was originally generated on your IOS device. You can then use this .p12 file and import it on another device.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...