Adding a wildcard SSL certificate to a Cisco ASA (2024)

Table of Contents
Before we begin A quick understanding of the types of certificate files Create the pkcs12 certificate. First install the intermediate cert Add the certificate to the ASA Assign the certificate to an interface Verify the certificate

A wildcard SSL certificate is where the SSL certificate is good for both the root domain and all subdomains. If we had a wildcard certificate for example.com it means the certificate will be valid for vpn.example.como, mail.example.com, blog.example.com, and example.com. This differs from a normal SSL certificate that specifically indicates one or more domain names in the subject field. There is another post that covers how to install a basic SSL certificate on a Cisco ASA.

In this post we will be covering how to install a wildcard certificate on a Cisco ASA.

Before we begin

Verify you have the following:

  • The certificate private key file (in pem format)
  • The wildcard certificate (in pem format)
  • The intermediary certificate (in pem format)

For testing we’ll use a Cisco ASA that allows a user to go to it using a browser.

A quick understanding of the types of certificate files

Examine the certs you have. Open them up and look at the contents. Does it start with “BEGIN CERTIFICATE” and end in “END CERTIFICATE”? If so then that certificate is likely in “pem” format. Files that end in the suffix ‘.pem’ or ‘.key’ usually are in this format. We’ll need all the certs to be in this format for best results.

There a ways to convert your certs to pem format but we won’t cover that here.

Create the pkcs12 certificate.

In the ASA we will eventually choose to import a certificate from a PKCS12 format file which has the certificate and private key in it together.

We will be using a linux system to convert the key + certificate into one file. We can use this command to do the conversion:

$ openssl pkcs12 -export -inkey privkey.pem -in cert.pem -name "My Wildcard Cert" -out cert.p12Enter Export Password:Verifying - Enter Export Password:$ lscert.pem cert.p12 privkey.pem
See Also
Installing wildcard cert on ISE for HTTP/EAPCisco Business switches 250 Series CLI Guide - CA Certificate Commands [Cisco Business 250 Series Smart Switches]Wildcard Certificates: Benefits and Risks | Indusface Blog

Here it will also ask you for a new password to encrypt the file. Remember this because we’ll use it later when importing the certificate.

You can view the pem certificate contents by doing the following command:

openssl x509 -in cert.pem -inform pem -noout -text

Here you’re looking for:

X509v3 Subject Alternative Name: DNS:*.example.com, DNS:example.com

This indicates what the URL is allowed to be for the cert to think it’s a match. Because this is a wildcard cert we see the *.example.com which will match any of the example.com domains.

First install the intermediate cert

I am a huge fan of the CLI but for some reason I never feel comfortable doing certificate stuff at the CLI.

Go to the ASDM. Navigate to Configuration > Device Management > Certificate Management > CA Certificates.

Click Add.

Then copy and paste your intermediate CA certificate in the box. You can copy the whole thing including the “BEGIN” and “END” lines in your certificate.

Click install certificate and this should then install and you should see your CA certificate in the list of certificates. Make sure the expiry date is far into the future (at least greater than your certificate).

If this comes back and says “Certificate install failed” then make sure you’re certificate is in pem format when pasting in and make sure it’s an intermediary CA cert and not your primary cert.

Add the certificate to the ASA

In the ASDM. Navigate to Configuration > Device Management > Certificate Management > Identity Certificates.

Click Add.

The ASA refers to certificates as “TrustPoints”. You can give it any name you want but remember it because we’ll refer to it later.

Choose to “import the identity certificate from a file”.

Enter the password you used when you created the pkcs12 file (explained earlier in this post).

Browse to the pkcs12 file you create earlier.

Click Add Certificate.

If all went well then you should see your new certificate added to the list. Verify the date is in the future and also verify the clock on the ASA is correct (show clock).

Assign the certificate to an interface

In the ASDM. Navigate to Configuration > Device Management > Advanced > SSL Settings.

Here you can see which certificate is going to be placed on which interface.

Select the interface you wish to add the certificate to and either double click or hit edit.

Select the new certificate trustpoint you created earlier.

Click Apply for the popup and then Apply at the bottom of the ASDM screen.

Verify the certificate

Open a web browser like Firefox and navigate to the URL of your ASA using https. Click the little lock icon in the URL field. Click “more information” then “view certificates”. Here you should be able to confirm that the certificate you added to the ASA is the same as what you see in the browser.

If it still looks like the old certificate you used to have in there try opening a different browser. Browsers often cache the certificate. Once the cache times out or the user clears the cache the new certificate will be present.

Adding a wildcard SSL certificate to a Cisco ASA (2024)
Top Articles
What Personal Property Can Be Seized in a Judgment?
Freeing Yourself from Judgement
English Bulldog Puppies For Sale Under 1000 In Florida
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Compare the Samsung Galaxy S24 - 256GB - Cobalt Violet vs Apple iPhone 16 Pro - 128GB - Desert Titanium | AT&T
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Craigslist Dog Kennels For Sale
Things To Do In Atlanta Tomorrow Night
Non Sequitur
Crossword Nexus Solver
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Energy Healing Conference Utah
Geometry Review Quiz 5 Answer Key
Hobby Stores Near Me Now
Icivics The Electoral Process Answer Key
Allybearloves
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Marquette Gas Prices
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Vera Bradley Factory Outlet Sunbury Products
Pixel Combat Unblocked
Movies - EPIC Theatres
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Mia Malkova Bio, Net Worth, Age & More - Magzica
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Nfsd Web Portal
Selly Medaline
Latest Posts
4. What types of property can be seized?
creditor's claim
Article information

Author: Patricia Veum II

Last Updated:

Views: 6209

Rating: 4.3 / 5 (64 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Patricia Veum II

Birthday: 1994-12-16

Address: 2064 Little Summit, Goldieton, MS 97651-0862

Phone: +6873952696715

Job: Principal Officer

Hobby: Rafting, Cabaret, Candle making, Jigsaw puzzles, Inline skating, Magic, Graffiti

Introduction: My name is Patricia Veum II, I am a vast, combative, smiling, famous, inexpensive, zealous, sparkling person who loves writing and wants to share my knowledge and understanding with you.