Update SSL certificate on Cisco ASA

We’ve had to update the SSL certificate on our Cisco ASA recently due to this. The tricky bit was I couldn’t find the private key file that was used to generate the original certificate. Fortunately, you can extract it from the ASA, combine it with the updated certificate and import it back into the ASA. Here are the steps. You will need the OpenSSL tool to do this.

From Cisco ASDM, go to Configuration -> Device Management -> Certificate Management -> Identity Certificates and select the existing certificate. Click on Export. Export it to PKCS12 Format (which includes the private key) and provide an encryption passphrase. Note this passphrase as you’ll need it in the next step.

Next we use OpenSSL to convert the exported PKCS12 (.pfx) file from Base64 to OpenSSL’s binary format.

openssl enc -base64 -d -in certfile.pfx -out converted.pfx

Extract the private key from the converted file. It will ask you for the passphrase entered earlier.

openssl pkcs12 -in converted.pfx -out private.key -nocerts -nodes

Combine the extracted private key with the updated certificate file (certificate.cer) from your CA into a single PKCS12 file. You will also need to supply the Intermediate certificate. It will ask you to enter a password. You will need this password later when importing the .pfx file into Cisco ASA.

openssl pkcs12 -export -out updatedcert.pfx -inkey private.key -in certificate.cer -certfile IntermediateCA.cer

Go back to Cisco ASDM, Add a new Identity Certificate and import the .pfx file as a new trustpoint. Once it’s created, you can update your SSL Settings to use this new certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *