key pair
Display current key pair
ASAv921# show crypto key mypubkey rsa
Remove a key pair
ASAv921(config)# crypto key zeroize rsa label ASA921
WARNING: Keys to be removed are named 'ASA921'.
WARNING: All device digital certificates issued using these keys will also be removed and
the associated trustpoints may not function correctly.
Do you really want to remove these keys? [yes/no]: yes
ASAv921(config)#
Generate general key pair
ASAv921(config)# crypto key generate rsa
WARNING: You have a RSA keypair already defined named .
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
ASAv921(config)#
Generate key pair and assign it a label
ASAv921(config)# crypto key generate rsa label mykeypair
INFO: The name for the keys will be: mykeypair
Keypair generation process begin. Please wait...
ASAv921(config)#
Trustpoint
A trustpoint just a container in which certificates are stored. A trust point can hold up to two certificates.
- An identity certificate (a certificate that the router owns the corresponding private key)
- A certificate authority certificate (a certificate that is signed by another party. The router doesn't own the matching private key)
Create the trustpoin
ASAv921(config)# crypto ca trustpoint sslvpn.trusttpoint
ASAv921(config-ca-trustpoint)# subject-name CN=sslvpn.trustynet.com,OU=IT,O=Trustynet Inc.,C=CA,St=ON,L=Toronto
ASAv921(config-ca-trustpoint)# keypair sslvpnkeypair
ASAv921(config-ca-trustpoint)# fqdn sslvpn.trustynet.com
ASAv921(config-ca-trustpoint)# enrollment terminal
ASAv921(config-ca-trustpoint)# exit
Generate CSR
ASAv921(config)# crypto ca enroll sslvpn.trusttpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=sslvpn.trustynet.com,OU=IT,O=Trustynet Inc.,C=CA,St=ON,L=Toronto
% The fully-qualified domain name in the certificate will be: sslvpn.trustynet.com
% Include the device serial number in the subject name? [yes/no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
MIICGTCCAYICAQAwgZYxEDAOBgNVBAcTB1Rvcm9udG8xCzAJBgNVBAgTAk9OMQsw
CQYDVQQGEwJDQTEXMBUGA1UEChMOVHJ1c3R5bmV0IEluYy4xCzAJBgNVBAsTAklU
MR0wGwYDVQQDExRzc2x2cG4udHJ1c3R5bmV0LmNvbTEjMCEGCSqGSIb3DQEJAhYU
c3NsdnBuLnRydXN0eW5ldC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
.......
AkuvEaNoe2mdpYOgXw+13NLx+Ut/e6WIH+7ZfTTNB2r6/z/J3+j2eZFbdV8GsRBH
0GOPI7b8vwlfT77z7FoXKhhzqxk/kLkt+rxoHNuSMuk0b4l5kJmNg17GPhLRpey4
yXi9B/EALd0s8BLBcw==
-----END CERTIFICATE REQUEST-----
Redisplay enrollment request? [yes/no]: no
ASAv921(config)#
(Optional) Import intermidiate certificate
If the CA provides a CA certificate chain, only install the immediate
intermediate CA certificate in the hierarchy on the trustpoint used to
generate the CSR. The Root CA certificate and any other intermediate CA
certificates can be installed in new trustpoints.
ASAv921(config)# crypto ca authenticate sslvpn.trusttpoint
Import the certificate
ASAv921(config)# crypto ca import sslvpn.trusttpoint certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name in the certificate will be: sslvpn.trustynet.com
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIEnDCCBAWgAwIBAgIKH7tiHgAAAAAACzANBgkqhkiG9w0BAQUFADBSMRMwEQYK
CZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJdHJ1c3R5bmV0MSAwHgYD
VQQDExd0cnVzdHluZXQtV0lOMks4LUlOVC1DQTAeFw0xNjA0MjIwMTMzMDVaFw0x
......
AHIAdgBlAHIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
vGdOjIhSnD0kBZE73CJduJCFsO7bfvRVuG4RQXsO/boVwUNu+Ky/Irio4E/PTI10
DjNrw6cotlpIVOPzYbVl03sTtJ/gWe21OvgRZioym7Riai5N1hXKoRh9agh2F/gY
CWT74zLZUoVkHbETABLV+Ol0K0LfuZfy6jUYLh2eMAc=
-----END CERTIFICATE-----
quit
INFO: Certificate successfully imported
ASAv921(config)#
Enable the certificate on outside interface
ASAv921(config)# ssl trust-point sslvpn.trusttpoint outside
ASAv921(config)# wr mem
Building configuration...
Cryptochecksum: aebcb75f 6d23e656 cd1f6dbe 3aa9ef39
6905 bytes copied in 0.60 secs
[OK]
ASAv921(config)#
Display the certificate infomation
ASAv921# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 1fbb621e00000000000b
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=trustynet-WIN2K8-INT-CA
dc=trustynet
dc=com
Subject Name:
cn=sslvpn.trustynet.com
ou=IT
o=Trustynet Inc.
l=Toronto
st=ON
c=CA
CRL Distribution Points:
[1] ldap:///CN=trustynet-WIN2K8-INT-CA,CN=WIN2K8-INT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=trustynet,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:33:05 UTC Apr 22 2016
end date: 01:33:05 UTC Apr 22 2018
Associated Trustpoints: sslvpn.trusttpoint
ASAv921#
Display certificate in PEM format
ASAv921(config)# crypto ca export sslvpn.trusttpoint identity-certificate
The PEM encoded identity certificate follows:
-----BEGIN CERTIFICATE-----
MIIEnDCCBAWgAwIBAgIKH7tiHgAAAAAACzANBgkqhkiG9w0BAQUFADBSMRMwEQYK
CZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJdHJ1c3R5bmV0MSAwHgYD
...........
DjNrw6cotlpIVOPzYbVl03sTtJ/gWe21OvgRZioym7Riai5N1hXKoRh9agh2F/gY
CWT74zLZUoVkHbETABLV+Ol0K0LfuZfy6jUYLh2eMAc=
-----END CERTIFICATE-----
ASAv921(config)#
Export key and certificate to a PKCS12 (base64) file with password protection.
ASAv921(config)# crypto ca export sslvpn.trusttpoint pkcs12 mypassword
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIJbwIBAzCCCSkGCSqGSIb3DQEHAaCCCRoEggkWMIIJEjCCCQ4GCSqGSIb3DQEH
BqCCCP8wggj7AgEAMIII9AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIXEyM
AiOifzkCAQGAggjIYyRs5K6mZeUREvFm/QpryelsjpdixG7mBMN51m2yr1S6Utmv
.......
W6pE2FGyQ+QhsChNTeyqTTe/f/IMDrLgQlMea/fIcTXZu8E+FMXr3MbI1iqabukU
jr7c9RgEqGmZtxKZkpkCoBsYEUI8OjWrrb3452+4y+s1H7qZ14RYGivrIjYXSJ3o
g9CUMzA9MCEwCQYFKw4DAhoFAAQU1P4l4RWp+qe/DKU0oHZ57QOWV2sEFJiWw3er
ExwYbVFjUbIYuhZPuOiOAgIEAA==
-----END PKCS12-----
ASAv921(config)#
In order to process the ASA exported Base64 format PKCS12 file in OpenSSL, we need to convert the pfx from Base64 to openssl's binary format:
openssl enc -base64 -d -in certfile.pfx -out converted.pfx
Then in OpenSSL:
Extracting the certificate and keys from a .pfx file
openssl pkcs12 -in converted.pfx -nocerts -out [xxx.key]
openssl pkcs12 -in converted.pfx -clcerts -nokeys -out [xxx.crt]
Import OpenSSL generated PKCS12 file to ASA trustpoint
ASA expects base64 format pkcs12 file, we need to convert OpenSSL generated binary format.pfx file to Base64 format.or
#openssl base64 -in certificate.pfx -out certificate.p12
Then we need open the file and add the PKCS Header and footer just copy and paste it without leaving any space.
-----BEGIN PKCS12-----
-----END PKCS12-----
Then we need open the file and add the PKCS Header and footer just copy and paste it without leaving any space.
-----BEGIN PKCS12-----
-----END PKCS12-----
ASAv921(config)# crypto ca import sslvpn.trusttpoint pkcs12 mypassword
Renew certificate without changing private key
Verify the private key used by Trustpoint
sh run crypto ca trustpoint
CLI:
ASAv921(config)# crypto ca import sslvpn.trusttpoint certificate
GUI:
Generate a new Trustpoint CSR with the same key pair, when receive the new certificate, install it.
================================
https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html
Comments
Post a Comment