<

How To export SSL Certificate from Cisco ASA (Cisco Adaptive Security Appliance)  and install on a Cisco Wireless LAN Controller

Published on
17,226 Points
14,026 Views
2 Endorsements
Last Modified:
Imagine a situation that you have installed SSL Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you can find step-by-step guidance on Cisco's website.

First of all, before you create a CSR (Certificate Signing Request), you must generate a private key, we refer to it as "mykey.pem" later in this document for WLC (Wireless LAN Controller)  use. It is a good practice to save the private key on the local disk in .txt format for future use, but if you forgot to do that, don't worry there is a way to export it from ASA.

We will start from the moment where we have already installed SSL certificate on ASA firewall. Usually for that process you will receive three files from the certificate vendor (or your own root certificate server)
  1. Root CA Certificate (CARoot.crt)
  2. Intermediate CA certificate (SSLCA2.crt)
  3. Device / domain / web server certificate (yourdomain_com.crt)
 

I. To install SSL certificate on WCL you need to create a .pem file that contains the full chain of certificates includes all three* certificates in the following order:

[use a text editor (notepad, nano, vi)]

-----BEGIN CERTIFICATE-----
(Your domain Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate CA certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA  certificate)
-----END CERTIFICATE-----

Open in new window

Save this file as allcerts.pem.

*NOTE: In controller versions earlier than 5.1.151.0, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates). With controller version 5.1.151.0 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication. Certificate Levels Level 0—Use of only a server certificate on WLC. Level 1—Use of server certificate on WLC and a CA root certificate. Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate. Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.  

II. Before you go to the next step you will need to retrieve a private key from ASA:

From ASA CLI do the following:

ASA(config)# crypto ca export ASDM_TrustPoint0 pkcs12 yourpassword

Open in new window

yourpassword - use the same password you used to generate the private key. The ASA will show you entire key on CLI. Copy this onto a text file and give it a name TrustPoint0.txt. Then using OpenSSL you must convert this base64 encoded file into PEM format.

#openssl base64 -in TrustPoint0.txt -d out TrustPoint0.pfx
#openssl pkcs12 -in TrustPoint0.pfx -info

Open in new window

You will be ask for password that you used to protect this key. Next you will see the private key section in this keychain. The key should look like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,544C0D9723C89EE348

kE/CWsjsMYHeGPWRxMBTcLdnrlhJCKdabqFpavbANovCczAci
MKNwzTMwTawjr5zUL9u8XkhwkTL09AHDgSazv6YF2Sh2bPHOLaiE/8pkTys3UrgA
....
-----END RSA PRIVATE KEY-----
Certificate bag
Bag Attributes
    friendlyName: ou=Domain Control Validated,ou=NameSSL Wildcard,cn=*.yourdomain.com
    localKeyID: 00 00 00 01 
subject=/OU=Domain Control Validated/OU=NameSSL Wildcard/CN=*.yourdomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=NameSSL CA 2
-----BEGIN CERTIFICATE-----
czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV
BAMTEBxMHU2FsZm9yZDEaMMIIFIzCCBAugAwIBAgIRAIWm
.....
-----END CERTIFICATE-----

Open in new window

Copy and paste the private key section onto another file and name it mykey.pem


III. Use OpenSSL and your RSA private key "mykey.pem" with the chained SSL certificates "allcerts.pem"


#openssl pkcs12 -export -in allcerts.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:yourpassword -passout pass:yourpassword
#openssl pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:yourpassword -passout pass:yourpassword

Open in new window


Your resulting file is called "final-cert.pem". You are now ready to install your certificate on the WLC. To install your SSL certificate with the full chain to the WLC (using the GUI):
  1. Make a copy of the "final-cert.pem" file and copy it to your TFTP server.
  2. Select Security > Web Auth > Cert to open up the Web Authentication page.
  3. Enable the Download SSL Certificate box to setup the TFTP parameters.
  4. Enter the IP address of the TFTP server in the IP Address field.
  5. Enter the path to the file in the Directory Path field and enter the file name in the file name field.
  6. Enter the password used for the file (in the example commands, yourpassword was used).
  7. Click Apply.
  8. After the file downloads from the TFTP server, reboot the WLC by going to Commands > Reboot > Reboot. Save any changes if prompted.
You have now installed an SSL certificate.
2
Comment
0 Comments

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Join & Write a Comment

In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.
Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month