If you are using Cisco ASA, you most likely will also have certificate(s) installed. This is what you need to pay attention to (Version 9.1, higher versions might behave differently):
- Only use 2048bit rsa certs, “old” ASA (without the X in the productname) and version 9.1 do not support 4096bit rsa certs
- Try to avoid StartSSL if you want to use ASDM. Java does not ship with the StartSSL Root Certificate and issues a certificate warning each time you connect via ASDM.
- Convert a “normal” (pem enconded) openssl certificate to PKCS12
openssl pkcs12 -export -out hostname.domain.pfx -inkey hostname.domain.key -in hostname.domain.crt -certfile hostname.domain.com.intermediate ( echo "-----BEGIN PKCS12-----"; openssl base64 -in hostname.domain.pfx ; echo "-----END PKCS12-----"; ) > hostname.domain.pkcs12
- If you have more than one intermediate certificate, you will need to import the cert with the command line via ssh. You will need to specify the password which you using in the previous step to generate the PKCS12 certificate.
crypto ca import TrustPoint-Name pkcs12 password Now enter the PKCS12 encoded file followed by <code>quit</code> on an empty line. .... CERT... quit % The CA cert is not self-signed. % Do you also want to create trustpoints for CAs higher in % the hierarchy? [yes/no]: yes
The main issue seems to be the questions asked, because if you answer with yes, all intermediate certs will be installed!
- If this is a active/standby cluster, the cert is not automatically instantly copied to the standby firewall (there’s also already an bug report for this issue, see ((https://supportforums.cisco.com/document/49566/asa-activestandby-failover-handling-digital-certificates )) ). In order to install it on the standby firewall either:
- reboot the standby firewall
hostname/pri/act# failover reload-standby
- force a resync of the configuration
hostname/pri/act# write standby
updated 2016/07/29 with some minor fixes