Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Installing Certificate for webvpn without CSR on ASA 8.4.3

 

Introduction:

This document describe the method to install certificates for WebVPN on ASA 8.4.3 using Linux (Ubuntu).

 

Problem:

User have been spending a lot of time trying to install his company wildcard certificate into the ASA for use with anyconnect, but been failing misserably continuously.

 

From his webserver he retrieved DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a wildcard certificate for mycompany.com.

 

The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on website: https://www.digicert.com/digicert-root-certificates.htm

with serial "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx".

 

On the ASA he finds that he has no trustpoint present. The commands: "sh crypto ca certificates" and "sh crypto ca trustpoints" yield no output.

 

cert 1.png

 

cert 2.png

 

 

Solution:

 

User have to create a PKCS12 Container which includes certificate, key und CA.

 

linux (Ubuntu)

 

cat DigiCertHighAssuranceEVRootCA.pem DigiCertCA.crt > root.crt

openssl pkcs12 -export -in star.mycompany.com_cert.pem -inkey star.mycompany.com_key.pem -certfile root.crt -out bundle.p12

 

Enter Export Password: secret

Verifying - Enter Export Password: secret

 

cat bundle.p12 | base64

 

On the ASA:

 

ASA(config)# crypto ca import star.mycompany.com pkcs12 secret

Enter the base 64 encoded pkcs12.

End with the word "quit" on a line by itself:

# BASE64 OUTPUT OF bundle.p12 #

quit

% The CA cert is not self-signed.

 

% Do you also want to create trustpoints for CAs higher in

 

% the hierarchy? [yes/no]: yes

 

INFO: Import PKCS12 operation completed successfully

 

ssl trust-point star.mycompany.com outside

 

Source Discussion:

ASA 8.4.3 Install Certificate for webvpn without CSR

5273
Views
10
Helpful
0
Comments