Cisco ASA SSL Certificate Management Guide
A comprehensive guide to managing RSA key pairs, trustpoints, and certificates on Cisco ASA firewalls.
Table of Contents
- RSA Key Pair Management
- Trustpoints
- Certificate Enrollment (CSR)
- Certificate Installation
- Certificate Verification & Display
- PKCS#12 Format Conversion
- Certificate Renewal
- Reference
1. RSA Key Pair Management
1.1 Display Current Key Pair
ASAv921# show crypto key mypubkey rsa
1.2 Remove a Key Pair
ASAv921(config)# crypto key zeroize rsa label ASA921 WARNING: Keys to be removed are named 'ASA921'. WARNING: All device digital certificates issued using these keys will also be removed and the associated trustpoints may not function correctly. Do you really want to remove these keys? [yes/no]: yes
1.3 Generate a General Key Pair
ASAv921(config)# crypto key generate rsa WARNING: You have a RSA keypair already defined named <default>. Do you really want to replace them? [yes/no]: yes Keypair generation process begin. Please wait...
1.4 Generate a Key Pair with a Label
ASAv921(config)# crypto key generate rsa label mykeypair INFO: The name for the keys will be: mykeypair Keypair generation process begin. Please wait...
2. Trustpoints
What Is a Trustpoint?
A trustpoint is a container that stores certificates. Each trustpoint can hold up to two certificates:
| Certificate Type | Description |
|---|---|
| Identity Certificate | A certificate for which the router owns the corresponding private key |
| CA Certificate | A certificate signed by another party; the router does not own the matching private key |
Create a Trustpoint
ASAv921(config)# crypto ca trustpoint sslvpn.trustpoint ASAv921(config-ca-trustpoint)# subject-name CN=sslvpn.trustynet.com,OU=IT,O=Trustynet Inc.,C=CA,St=ON,L=Toronto ASAv921(config-ca-trustpoint)# keypair sslvpnkeypair ASAv921(config-ca-trustpoint)# fqdn sslvpn.trustynet.com ASAv921(config-ca-trustpoint)# enrollment terminal ASAv921(config-ca-trustpoint)# exit
3. Certificate Enrollment (CSR)
Generate a Certificate Signing Request (CSR) for the trustpoint:
ASAv921(config)# crypto ca enroll sslvpn.trustpoint WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems. Would you like to continue with this enrollment? [yes/no]: yes % Start certificate enrollment .. % The subject name in the certificate will be: CN=sslvpn.trustynet.com,OU=IT,O=Trustynet Inc.,C=CA,St=ON,L=Toronto % The fully-qualified domain name in the certificate will be: sslvpn.trustynet.com % Include the device serial number in the subject name? [yes/no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: -----BEGIN CERTIFICATE REQUEST----- MIICGTCCAYICAQAwgZYxEDAOBgNVBAcTB1Rvcm9udG8xCzAJBgNVBAgTAk9OMQsw CQYDVQQGEwJDQTEXMBUGA1UEChMOVHJ1c3R5bmV0IEluYy4xCzAJBgNVBAsTAklU MR0wGwYDVQQDExRzc2x2cG4udHJ1c3R5bmV0LmNvbTEjMCEGCSqGSIb3DQEJAhYU c3NsdnBuLnRydXN0eW5ldC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB ... AkuvEaNoe2mdpYOgXw+13NLx+Ut/e6WIH+7ZfTTNB2r6/z/J3+j2eZFbdV8GsRBH 0GOPI7b8vwlfT77z7FoXKhhzqxk/kLkt+rxoHNuSMuk0b4l5kJmNg17GPhLRpey4 yXi9B/EALd0s8BLBcw== -----END CERTIFICATE REQUEST----- Redisplay enrollment request? [yes/no]: no
Tip: Copy the CSR output (including BEGIN/END lines) and submit it to your Certificate Authority.
4. Certificate Installation
4.1 (Optional) Import Intermediate CA Certificate
Important: If the CA provides a certificate chain, install only the immediate intermediate CA certificate on the trustpoint used to generate the CSR. The Root CA and any additional intermediate certificates should be installed in separate trustpoints.
ASAv921(config)# crypto ca authenticate sslvpn.trustpoint
4.2 Import the Identity Certificate
ASAv921(config)# crypto ca import sslvpn.trustpoint certificate WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems. Would you like to continue with this enrollment? [yes/no]: yes % The fully-qualified domain name in the certificate will be: sslvpn.trustynet.com Enter the base 64 encoded certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIEnDCCBAWgAwIBAgIKH7tiHgAAAAAACzANBgkqhkiG9w0BAQUFADBSMRMwEQYK CZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJdHJ1c3R5bmV0MSAwHgYD ... AHIAdgBlAHIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA vGdOjIhSnD0kBZE73CJduJCFsO7bfvRVuG4RQXsO/boVwUNu+Ky/Irio4E/PTI10 DjNrw6cotlpIVOPzYbVl03sTtJ/gWe21OvgRZioym7Riai5N1hXKoRh9agh2F/gY CWT74zLZUoVkHbETABLV+Ol0K0LfuZfy6jUYLh2eMAc= -----END CERTIFICATE----- quit INFO: Certificate successfully imported
4.3 Enable the Certificate on the Outside Interface
ASAv921(config)# ssl trust-point sslvpn.trustpoint outside ASAv921(config)# write memory Building configuration... Cryptochecksum: aebcb75f 6d23e656 cd1f6dbe 3aa9ef39 6905 bytes copied in 0.60 secs [OK]
5. Certificate Verification & Display
5.1 Display Certificate Information
ASAv921# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 1fbb621e00000000000b
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=trustynet-WIN2K8-INT-CA
dc=trustynet
dc=com
Subject Name:
cn=sslvpn.trustynet.com
ou=IT
o=Trustynet Inc.
l=Toronto
st=ON
c=CA
CRL Distribution Points:
[1] ldap:///CN=trustynet-WIN2K8-INT-CA,CN=WIN2K8-INT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=trustynet,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:33:05 UTC Apr 22 2016
end date: 01:33:05 UTC Apr 22 2018
Associated Trustpoints: sslvpn.trustpoint
5.2 Export Certificate in PEM Format
ASAv921(config)# crypto ca export sslvpn.trustpoint identity-certificate The PEM encoded identity certificate follows: -----BEGIN CERTIFICATE----- MIIEnDCCBAWgAwIBAgIKH7tiHgAAAAAACzANBgkqhkiG9w0BAQUFADBSMRMwEQYK ... DjNrw6cotlpIVOPzYbVl03sTtJ/gWe21OvgRZioym7Riai5N1hXKoRh9agh2F/gY CWT74zLZUoVkHbETABLV+Ol0K0LfuZfy6jUYLh2eMAc= -----END CERTIFICATE-----
6. PKCS#12 Format Conversion
6.1 Export Key and Certificate to PKCS#12 (Base64) from ASA
ASAv921(config)# crypto ca export sslvpn.trustpoint pkcs12 mypassword Exported pkcs12 follows: -----BEGIN PKCS12----- MIIJbwIBAzCCCSkGCSqGSIb3DQEHAaCCCRoEggkWMIIJEjCCCQ4GCSqGSIb3DQEH BqCCCP8wggj7AgEAMIII9AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIXEyM ... g9CUMzA9MCEwCQYFKw4DAhoFAAQU1P4l4RWp+qe/DKU0oHZ57QOWV2sEFJiWw3er ExwYbVFjUbIYuhZPuOiOAgIEAA== -----END PKCS12-----
Note: ASA exports PKCS#12 in Base64 (PEM) format. OpenSSL requires binary format for processing.
6.2 Convert ASA Base64 PKCS#12 to OpenSSL Binary Format
openssl enc -base64 -d -in certfile.pfx -out converted.pfx
6.3 Extract Certificate and Private Key with OpenSSL
| Command | Purpose |
|---|---|
openssl pkcs12 -in converted.pfx -nocerts -out keyfile.key |
Extract private key only |
openssl pkcs12 -in converted.pfx -clcerts -nokeys -out certfile.crt |
Extract certificate only |
6.4 Import OpenSSL-Generated PKCS#12 into ASA
ASA expects Base64 format. Convert OpenSSL's binary .pfx to Base64:
# Method 1 openssl base64 -in certificate.pfx > certificate.base64 # Method 2 openssl base64 -in certificate.pfx -out certificate.p12
Add PKCS#12 header and footer to the Base64 file (copy and paste without extra spaces):
-----BEGIN PKCS12----- <your base64 content here> -----END PKCS12-----
Then import into ASA:
ASAv921(config)# crypto ca import sslvpn.trustpoint pkcs12 mypassword
7. Certificate Renewal
Renew Without Changing the Private Key
Method 1: CLI
ASAv921(config)# crypto ca import sslvpn.trustpoint certificate
Method 2: GUI
- Generate a new CSR using the same key pair
- Submit the CSR to your CA
- Install the new certificate when received
Verify the private key used by the trustpoint:
ASAv921# show run crypto ca trustpoint
8. Reference
Quick Command Reference
| Task | Command |
|---|---|
| Show RSA keys | show crypto key mypubkey rsa |
| Remove RSA key | crypto key zeroize rsa label <label> |
| Generate RSA key | crypto key generate rsa label <label> |
| Create trustpoint | crypto ca trustpoint <name> |
| Generate CSR | crypto ca enroll <trustpoint> |
| Import certificate | crypto ca import <trustpoint> certificate |
| Import PKCS#12 | crypto ca import <trustpoint> pkcs12 <password> |
| Export PKCS#12 | crypto ca export <trustpoint> pkcs12 <password> |
| Enable SSL | ssl trust-point <trustpoint> <interface> |
| Show certificates | show crypto ca certificates |
Comments
Post a Comment