I recently needed to use the same wildcard certificate on both a Linux Apache host (Apache 2.2, RHEL6) and a Cisco ASA (5505), and this is how I did it. This blog post starts _after_ I have the certificate generated, signed, installed, working & tested on the Apache host (which was just a standard CSR + install process, documented in thousands of places elsewhere on the web).
Note: This is a direct-copy rip off of another blog post (http://blog.tonns.org/2013/02/importing-ssltls-wildcard-certificate.html) - I don't really add or change much compared to that post (aside from notes on the way), as the steps worked fine for me; I'm just replicating it here for posterity in case that blog goes away.
Here are the steps:
1. Convert all certs and keys to PEM format
Please note that your certificates may well be in PEM format already - if so, you only need the key conversion step and use the original certificate files.
Please also note that the intermediate-cert step above actually cut the number of chained certificates in my intermediary's cert file, from the original file's 3 chained certs down to 1. This wasn't some kind of clever amalgamation - the command simply only wrote out the first link in the chain. I'm pretty sure this would have been broken if I imported the new file; I didn't investigate this much though, as I realised that the original certs were already in PEM format, so I just deleted the newly-created file and copied the old one in.
2. Now bundle them into PKCS12 format
3. Now base64 encode it for the ASA (to paste into terminal window)
4. Import the cert into the ASA terminal via copy/paste from the above cat output
4. Enable the trustpoint on the outside interface
5. Bounce the VPN
Please note that the method above involves exporting the server's private SSL key as well the certificate - this isn't quite as secure as having individual certificates with individual private keys for each server.
This SSL certificate's licenced rights covered this use-case (not all registrars do), but the registrar's SSL-management web interface provided no actual way to implement this right. This method is therefore not quite as nice as individual certificates, but I had no other choice.
Note: This is a direct-copy rip off of another blog post (http://blog.tonns.org/2013/02/importing-ssltls-wildcard-certificate.html) - I don't really add or change much compared to that post (aside from notes on the way), as the steps worked fine for me; I'm just replicating it here for posterity in case that blog goes away.
Here are the steps:
1. Convert all certs and keys to PEM format
mkdir asa
openssl x509 -in example_com.crt -out asa/example_com.crt -outform pem
# See note below re:next step for intermediaries
openssl x509 -in geotrust-intermediate-ca.crt -out asa/geotrust-intermediate-ca.crt -outform pem
openssl rsa -in example_com.key -out asa/example_com.key -outform pem
Please note that your certificates may well be in PEM format already - if so, you only need the key conversion step and use the original certificate files.
Please also note that the intermediate-cert step above actually cut the number of chained certificates in my intermediary's cert file, from the original file's 3 chained certs down to 1. This wasn't some kind of clever amalgamation - the command simply only wrote out the first link in the chain. I'm pretty sure this would have been broken if I imported the new file; I didn't investigate this much though, as I realised that the original certs were already in PEM format, so I just deleted the newly-created file and copied the old one in.
2. Now bundle them into PKCS12 format
cd asa
openssl pkcs12 -export -in example_com.crt -inkey example_com.key \
-certfile geotrust-intermediate-ca.crt -out example_com.p12
# you will need to choose an export password, when prompted
3. Now base64 encode it for the ASA (to paste into terminal window)
( echo -----BEGIN PKCS12-----;
openssl base64 -in example_com.p12;
echo -----END PKCS12-----; ) > example_com.pkcs12
cat example_com.pkcs12
4. Import the cert into the ASA terminal via copy/paste from the above cat output
fw1# conf t
fw1(config)# crypto ca import example_com-trustpoint pkcs12 {exportPassword}
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
{ snip }
-----END PKCS12-----
quit
INFO: Import PKCS12 operation completed successfully
fw1(config)# exit
fw1# wr me
fw1# show crypto ca certificates
4. Enable the trustpoint on the outside interface
fw1# conf t
fw1(config)# ssl trust-point example_com-trustpoint outside
fw1(config)# exit
fw1# wr me
fw1# show ssl
5. Bounce the VPN
fw1# conf t
fw1(config)# webvpn
fw1(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
fw1(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
fw1(config)# exit
fw1# wr mem
Please note that the method above involves exporting the server's private SSL key as well the certificate - this isn't quite as secure as having individual certificates with individual private keys for each server.
This SSL certificate's licenced rights covered this use-case (not all registrars do), but the registrar's SSL-management web interface provided no actual way to implement this right. This method is therefore not quite as nice as individual certificates, but I had no other choice.
Posts
