Although Cisco devices allow you to generate a Certificate Signing Request (CSR) to obtain a new certificate from a Certificate Authority, many administrators will want to use the existing 3rd party certificates they already have installed on their Windows servers for purposes such as Cisco’s AnyConnect SSL VPN to prevent clients getting certificate warnings when logging in.
To import an existing certificate and key pair onto Cisco (and many other) devices, you will need to have the certificate in PEM format with base64 (ASCII) encoding. However, when exporting a certificate from the Windows certificate store, you will only be given the option of exporting the certificate to PKCS#12 (PFX) with a binary format.
So how do you convert a PFX file to PEM format? By using one of the following commands from the command prompt:
- Using OpenSSL – download from openssl.org: openssl base64 -in certificate-name.pfx -out certificate-name.pem
If you planning on using the certificate for code signing/VPN access on a Cisco ASA, you can find excellent documentation here on how to import it here: http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp241924
Thank you Sam!
You saved me a bunch of work. I had to do the opposite (export a base64 encoded cert from an ASA to import into Windows) and this pointed me in the right direction.
The base64 command is now the “enc” command. Here is the command to convert base64 into pfx: openssl enc -in asaExportCertName.p12 -out WindowsImportCertName.p12 -pass pass:asaExportPassphrase -d -a
Before running the OpenSSL operation, open the certificate that you exported from the ASA and remove the “Exported pkcs12 follows:” text that Cisco adds.
Link | October 12th, 2011 at 3:09 am