Importing a SSL Wildcard Certificate from an Apache Webserver onto a Cisco ASA 5500

I recently needed to use the same wildcard certificate on both a Linux Apache host (Apache 2.2, RHEL6) and a Cisco ASA (5505), and this is how I did it. This blog post starts _after_ I have the certificate generated, signed, installed, working & tested on the Apache host (which was just a standard CSR + install process, documented in thousands of places elsewhere on the web).

Note: This is a direct-copy rip off of another blog post (http://blog.tonns.org/2013/02/importing-ssltls-wildcard-certificate.html) - I don't really add or change much compared to that post (aside from notes on the way), as the steps worked fine for me; I'm just replicating it here for posterity in case that blog goes away.
Here are the steps:

1. Convert all certs and keys to PEM format

    mkdir asa
    openssl x509 -in example_com.crt -out asa/example_com.crt -outform pem

    # See note below re:next step for intermediaries 

    openssl x509 -in geotrust-intermediate-ca.crt -out asa/geotrust-intermediate-ca.crt -outform pem
    openssl rsa -in example_com.key -out asa/example_com.key -outform pem

Please note that your certificates may well be in PEM format already - if so, you only need the key conversion step and use the original certificate files.


Please also note that the intermediate-cert step above actually cut the number of chained certificates in my intermediary's cert file, from the original file's 3 chained certs down to 1. This wasn't some kind of clever amalgamation - the command simply only wrote out the first link in the chain. I'm pretty sure this would have been broken if I imported the new file; I didn't investigate this much though, as I realised that the original certs were already in PEM format, so I just deleted the newly-created file and copied the old one in.


2. Now bundle them into PKCS12 format

    cd asa
    openssl pkcs12 -export -in example_com.crt -inkey example_com.key \
        -certfile geotrust-intermediate-ca.crt -out example_com.p12
    # you will need to choose an export password, when prompted

3. Now base64 encode it for the ASA (to paste into terminal window)

    ( echo -----BEGIN PKCS12-----;
      openssl base64 -in example_com.p12;
      echo -----END PKCS12-----; ) > example_com.pkcs12

      cat example_com.pkcs12

4. Import the cert into the ASA terminal via copy/paste from the above cat output

    fw1# conf t
    fw1(config)# crypto ca import example_com-trustpoint pkcs12 {exportPassword}

    Enter the base 64 encoded pkcs12.
    End with the word "quit" on a line by itself:
    -----BEGIN PKCS12-----
    { snip }
    -----END PKCS12-----
    quit
    INFO: Import PKCS12 operation completed successfully
    fw1(config)# exit
    fw1# wr me
    fw1# show crypto ca certificates

4. Enable the trustpoint on the outside interface

    fw1# conf t
    fw1(config)# ssl trust-point example_com-trustpoint outside
    fw1(config)# exit
    fw1# wr me
    fw1# show ssl

5. Bounce the VPN

    fw1# conf t
    fw1(config)# webvpn
    fw1(config-webvpn)# no enable outside
    WARNING: Disabling webvpn removes proxy-bypass settings.
    Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
    INFO: WebVPN and DTLS are disabled on 'outside'.
    fw1(config-webvpn)# enable outside   
    INFO: WebVPN and DTLS are enabled on 'outside'.
    fw1(config)# exit
    fw1# wr mem

Please note that the method above involves exporting the server's private SSL key as well the certificate - this isn't quite as secure as having individual certificates with individual private keys for each server.

This SSL certificate's licenced rights covered this use-case (not all registrars do), but the registrar's SSL-management web interface provided no actual way to implement this right. This method is therefore not quite as nice as individual certificates, but I had no other choice.