Certificates for ASA SSL VPN

How do you setup a Cisco ASA SSL VPN using a CA supplied cert?

You need three things here.

  1. The new certificate – vpn.ianh.net.au.crt.
  2. The new certificate’s key – vpn.ianh.net.au.key.
  3. The new certificate’s CA bundle, including any intermediate certificates – vpn.ianh.net.au.ca-bundle.

First we combine the certificate and key into a base 64 encoded PKCS12 file, with a password of ‘areallystrongpassword’. This password is only required during the import process, we delete the file once the import is complete.

ianh@linux:~/cert$ openssl pkcs12 -CAfile vpn.ianh.net.au.ca-bundle -in vpn.ianh.net.au.crt -inkey vpn.ianh.net.au.key -nodes -export -out vpn.ianh.net.au.p12

Enter Export Password: areallystrongpassword

Verifying - Enter Export Password: areallystrongpassword

ianh@linux:~/cert$ openssl base64 -in vpn.ianh.net.au.p12 -out vpn.ianh.net.au.b64p12

ianh@linux:~/cert$ cat vpn.ianh.net.au.b64p12 
***lots of cert, copy this output to clipboard for next step***

Then we create a new trust point on the ASA pasting in the base 64 armoured PKCS12 certificate file.

asa(config)# cry ca trustpoint VPN
asa(config-ca-trustpoint)# en term
asa(config-ca-trustpoint)# cry ca import VPN pass areallstrongpasword 
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
***paste cert here***
INFO: Import PKCS12 operation completed successfully

Then we add the CA bundle (yes, you do have to do ‘en term’ again):

asa(config)# cry ca trustpoint VPN
asa(config-ca-trustpoint)# en term
asa(config-ca-trustpoint)# cry ca authenticate VPN
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
***Paste CA bundle here***
INFO: Certificate has the following attributes:
Fingerprint:     83ea0465 b722ed33 ff0b4f53 5e1d396b 
Do you accept this certificate? [yes/no]: yes
Trustpoint 'VPN' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
% Certificate successfully imported
asa(config)# exit

If this is a replacement certificate, you may need to point wevpn/DTLS to the new trust point.

asa(config-webvpn)#no ssl trust-point VPN outside  
asa(config-webvpn)#ssl trust-point VPN outside

Then you need to save the config to force the DTLS process to look at the new certificate.

asa# wr
Building configuration...
Cryptochecksum: 1c43aaba fbb00b48 2b771bef e5a3598d 
154662 bytes copied in 0.890 secs

Don’t forget to delete the certificate files from your workspace to keep them secure.

ianh@linux:~/cert$ rm vpn.ianh.net.au.crt vpn.ianh.net.au.key vpn.ianh.net.au.ca-bundle vpn.ianh.net.au.p12 vpn.ianh.net.au.b64p12