If you do not want/can to use ASDM, this is how you upload SSL certificate to Cisco ASA v 9.4+.

Based on which is not 100% correct

  1. Get cert in psk12 format ensure that password does not have any funny characters like ‘?’
  2. Encode it as base64 openssl base64 -in xxxxx.pfx > xxxxx.base64
  3. open xxxxx.base64 in editor and add footer(-----END PKCS12-----) and header (-----BEGIN PKCS12-----).
    Result should looks like approximately like this:
     -----BEGIN PKCS12-----
     --- cut ---
     -----END PKCS12-----
  4. Login to FW and go to config mode and use crypto ca import to load cert. Replace PasswordPassword with password used to encrypt original xxxxx.pfx
     asa(config)# crypto ca import WildCard-Cert-2024 pkcs12 PasswordPassword
     Enter the base 64 encoded pkcs12.
     End with the word “quit” on a line by itself:
  5. copy cert form xxxxx.base64 file, and end as prompted by quit on new line
     -----END PKCS12-----
     Trustpoint ‘WildCard-Cert-2024’ is a subordinate CA and holds a non self-signed certificate.
     Trustpoint CA certificate accepted.
     INFO: Import PKCS12 operation completed successfully.
  6. Done - You got new trustpoint. Verify it by show crypto ca trustpoints WildCard-Cert-2024. Then replace old trustpoint to new one for SSL VPN or whatever you use it.