If you do not want/can to use ASDM, this is how you upload SSL certificate to Cisco ASA v 9.4+.
Based on which is not 100% correct
- Get cert in psk12 format ensure that password does not have any funny characters like ‘?’
- Encode it as base64
openssl base64 -in xxxxx.pfx > xxxxx.base64 - open xxxxx.base64 in editor and add footer(
-----END PKCS12-----) and header (-----BEGIN PKCS12-----).
Result should looks like approximately like this:-----BEGIN PKCS12----- MIIWrwIBAzCCFmsGCSqGSIb3DQEHAaCCFlwEghZYMIIWVDCCBgUGCSqGSIb3DQEH --- cut --- AwIaBBSKPmxqT7+AiWzI59aG9OvBV41wUAQUosZZzwYjaNwlJwQaEeP7L7KS+owC AgfQ -----END PKCS12----- - Login to FW and go to config mode and use
crypto ca importto load cert. Replace PasswordPassword with password used to encrypt original xxxxx.pfxasa(config)# crypto ca import WildCard-Cert-2024 pkcs12 PasswordPassword Enter the base 64 encoded pkcs12. End with the word “quit” on a line by itself: - copy cert form xxxxx.base64 file, and end as prompted by quit on new line
AwIaBBSKPmxqT7+AiWzI59aG9OvBV41wUAQUosZZzwYjaNwlJwQaEeP7L7KS+owC AgfQ -----END PKCS12----- quit Trustpoint ‘WildCard-Cert-2024’ is a subordinate CA and holds a non self-signed certificate. Trustpoint CA certificate accepted. INFO: Import PKCS12 operation completed successfully. - Done - You got new trustpoint. Verify it by
show crypto ca trustpoints WildCard-Cert-2024. Then replace old trustpoint to new one for SSL VPN or whatever you use it.