Adding a wildcard SSL certificate to a Cisco ASA (2024)

Table of Contents
Before we begin A quick understanding of the types of certificate files Create the pkcs12 certificate. First install the intermediate cert Add the certificate to the ASA Assign the certificate to an interface Verify the certificate

A wildcard SSL certificate is where the SSL certificate is good for both the root domain and all subdomains. If we had a wildcard certificate for example.com it means the certificate will be valid for vpn.example.como, mail.example.com, blog.example.com, and example.com. This differs from a normal SSL certificate that specifically indicates one or more domain names in the subject field. There is another post that covers how to install a basic SSL certificate on a Cisco ASA.

In this post we will be covering how to install a wildcard certificate on a Cisco ASA.

Before we begin

Verify you have the following:

  • The certificate private key file (in pem format)
  • The wildcard certificate (in pem format)
  • The intermediary certificate (in pem format)

For testing we’ll use a Cisco ASA that allows a user to go to it using a browser.

A quick understanding of the types of certificate files

Examine the certs you have. Open them up and look at the contents. Does it start with “BEGIN CERTIFICATE” and end in “END CERTIFICATE”? If so then that certificate is likely in “pem” format. Files that end in the suffix ‘.pem’ or ‘.key’ usually are in this format. We’ll need all the certs to be in this format for best results.

There a ways to convert your certs to pem format but we won’t cover that here.

Create the pkcs12 certificate.

In the ASA we will eventually choose to import a certificate from a PKCS12 format file which has the certificate and private key in it together.

We will be using a linux system to convert the key + certificate into one file. We can use this command to do the conversion:

$ openssl pkcs12 -export -inkey privkey.pem -in cert.pem -name "My Wildcard Cert" -out cert.p12Enter Export Password:Verifying - Enter Export Password:$ lscert.pem cert.p12 privkey.pem
See Also
Installing wildcard cert on ISE for HTTP/EAPCisco Business switches 250 Series CLI Guide - CA Certificate Commands [Cisco Business 250 Series Smart Switches]Wildcard Certificates: Benefits and Risks | Indusface Blog

Here it will also ask you for a new password to encrypt the file. Remember this because we’ll use it later when importing the certificate.

You can view the pem certificate contents by doing the following command:

openssl x509 -in cert.pem -inform pem -noout -text

Here you’re looking for:

X509v3 Subject Alternative Name: DNS:*.example.com, DNS:example.com

This indicates what the URL is allowed to be for the cert to think it’s a match. Because this is a wildcard cert we see the *.example.com which will match any of the example.com domains.

First install the intermediate cert

I am a huge fan of the CLI but for some reason I never feel comfortable doing certificate stuff at the CLI.

Go to the ASDM. Navigate to Configuration > Device Management > Certificate Management > CA Certificates.

Click Add.

Then copy and paste your intermediate CA certificate in the box. You can copy the whole thing including the “BEGIN” and “END” lines in your certificate.

Click install certificate and this should then install and you should see your CA certificate in the list of certificates. Make sure the expiry date is far into the future (at least greater than your certificate).

If this comes back and says “Certificate install failed” then make sure you’re certificate is in pem format when pasting in and make sure it’s an intermediary CA cert and not your primary cert.

Add the certificate to the ASA

In the ASDM. Navigate to Configuration > Device Management > Certificate Management > Identity Certificates.

Click Add.

The ASA refers to certificates as “TrustPoints”. You can give it any name you want but remember it because we’ll refer to it later.

Choose to “import the identity certificate from a file”.

Enter the password you used when you created the pkcs12 file (explained earlier in this post).

Browse to the pkcs12 file you create earlier.

Click Add Certificate.

If all went well then you should see your new certificate added to the list. Verify the date is in the future and also verify the clock on the ASA is correct (show clock).

Assign the certificate to an interface

In the ASDM. Navigate to Configuration > Device Management > Advanced > SSL Settings.

Here you can see which certificate is going to be placed on which interface.

Select the interface you wish to add the certificate to and either double click or hit edit.

Select the new certificate trustpoint you created earlier.

Click Apply for the popup and then Apply at the bottom of the ASDM screen.

Verify the certificate

Open a web browser like Firefox and navigate to the URL of your ASA using https. Click the little lock icon in the URL field. Click “more information” then “view certificates”. Here you should be able to confirm that the certificate you added to the ASA is the same as what you see in the browser.

If it still looks like the old certificate you used to have in there try opening a different browser. Browsers often cache the certificate. Once the cache times out or the user clears the cache the new certificate will be present.

Adding a wildcard SSL certificate to a Cisco ASA (2024)
Top Articles
What is Digital Payment System and its Types
Edgy Lace Is Set To Soar This Summer, According To The Street-Style Set
Kirksville Mo Swap Shop
Layla Deline Leaks
Sunbelt Rentals Okta
Resultat.loto.foot
Gomovies Spiderman
Davis.k12.Ut.us
Walmart Fram Oil Filter
Wsbtv Fish And Game Report
Unblocked 1 On 1 Soccer
Best Pizza In Hyde Park Chicago
Pinkpleasuree
List of Amazon Fulfillment Center Locations [2024 Updated]
Eemax Eem24027 Reset Button
Armslist Kansas City Missouri
Aeries Portal Tulare
Missed Connections Inland Empire
From Point and Click to Qmlativ: Illinois District Evolves Alongside EdTech Provider
Desert Cabinet Odds And Ends
Xxc Renegade 1000 Xxc Price In India Price
Netherlands Toys, Games & Hobbies | ExpatINFO Holland
Mady Gio Feet
Christwill Christian Music
Ac-15 Gungeon
Holliston Unleashed: Your Ultimate Guide to 25 Exciting Adventures - Thebostondaybook.com
Translations Of Linear Functions Worksheet Answer Key
Rinehart Sons Funeral Home
Gasbuddy Bakersfield Costco
Sunset In January 2023
Ww0.0Gomovie
Transcript: ‘How to Supercharge Your Writing With AI Tools’
Rage Room Longmont
Weil Cornell Connect
Coverwood Terriers For Sale
Basketball Random Unblocked Wtf
Uncover The Truth: Camilla Araujo Leaked Content Revealed
Juicy Deal D-Art
Cobb County - New Georgia Encyclopedia
Dlnet Delta Com Dlnet
Tinaqueenwifey
Craigslist Kalispell Montana Personals
Goat Days Millington 2023
Vip Market Vetsource
Missing 2023 Showtimes Near Cinemark Beaumont 15 And Xd
How to Sell Cars on Craigslist: A Guide for Car Dealers | ACV Auctions
Myusu Canvas
Rawdogriley
Fatal Accident In Nashville Tn Today
Craigslist Motorcycles For Sale Albuquerque
Craigslist Portland Oregon Motorcycles
Latest Posts
What Is Price Action Trading: Best Forex Strategies and Tips | LiteFinance
Unstoppable Extension - Chrome Web Store
Article information

Author: Patricia Veum II

Last Updated:

Views: 6209

Rating: 4.3 / 5 (64 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Patricia Veum II

Birthday: 1994-12-16

Address: 2064 Little Summit, Goldieton, MS 97651-0862

Phone: +6873952696715

Job: Principal Officer

Hobby: Rafting, Cabaret, Candle making, Jigsaw puzzles, Inline skating, Magic, Graffiti

Introduction: My name is Patricia Veum II, I am a vast, combative, smiling, famous, inexpensive, zealous, sparkling person who loves writing and wants to share my knowledge and understanding with you.