First, prepare PKCS12 certificate. You need openssl package:
openssl pkcs12 -export -out output.pfx -inkey domain.key -in domain.crt -certfile domain-bundle.crt
where:
output.pfx – is the newly created pkcs12 certificate
domain.key – is the key to your original certificate
domain.crt – is the x509 certificate issued by the cert authority
domain-bundle.crt – is the root certificate chain (a.k.a. CA bundle)
next you need to base64 encode the .pfx file
base64 output.pfx
leave the terminal open, with the output of base64 command, as you will need to import that on the Cisco ASA
Login to the Cisco ASA and create a new trustpoint:
crypto ca trustpoint trustpoint-new
fqdn webvpn.example.com
subject-name CN=*.example.com
crl configure
exit
where:
trustpoint-new – is the newly created trustpoint (I usually name it ‘domain-year’ for example ‘domain.com-2020’)
webvpn.example.com – is the FQDN you are using for webvpn access
*.example.com – is the common name of your certificate (here we use a wildcard certificate, thus the * in the name)
Next, do the actual import:
crypto ca import trustpoint-new pkcs12 pass
where:
trustpoint-new – is the name of the new trustpoint
pass – is the password of the pkcs12 certificate set with the openssl export
You should see this:
Enter the base 64 encoded pkcs12.
End with the word “quit” on a line by itself:
Next you paste the output from the command “base64 output.pfx”, and write “quit” on a new line.
You should receive:
INFO: Import PKCS12 operation completed successfully
Last step is to start using the new trustpoint:
ssl trust-point trustpoint-new