A wildcard SSL certificate is where the SSL certificate is good for both the root domain and all subdomains. If we had a wildcard certificate for example.com it means the certificate will be valid for vpn.example.como, mail.example.com, blog.example.com, and example.com. This differs from a normal SSL certificate that specifically indicates one or more domain names in the subject field. There is another post that covers how to install a basic SSL certificate on a Cisco ASA.
In this post we will be covering how to install a wildcard certificate on a Cisco ASA.
Before we begin
Verify you have the following:
- The certificate private key file (in pem format)
- The wildcard certificate (in pem format)
- The intermediary certificate (in pem format)
For testing we’ll use a Cisco ASA that allows a user to go to it using a browser.
A quick understanding of the types of certificate files
Examine the certs you have. Open them up and look at the contents. Does it start with “BEGIN CERTIFICATE” and end in “END CERTIFICATE”? If so then that certificate is likely in “pem” format. Files that end in the suffix ‘.pem’ or ‘.key’ usually are in this format. We’ll need all the certs to be in this format for best results.
There a ways to convert your certs to pem format but we won’t cover that here.
Create the pkcs12 certificate.
In the ASA we will eventually choose to import a certificate from a PKCS12 format file which has the certificate and private key in it together.
We will be using a linux system to convert the key + certificate into one file. We can use this command to do the conversion:
Here it will also ask you for a new password to encrypt the file. Remember this because we’ll use it later when importing the certificate.
You can view the pem certificate contents by doing the following command:
openssl x509 -in cert.pem -inform pem -noout -text
Here you’re looking for:
X509v3 Subject Alternative Name: DNS:*.example.com, DNS:example.com
This indicates what the URL is allowed to be for the cert to think it’s a match. Because this is a wildcard cert we see the *.example.com which will match any of the example.com domains.
First install the intermediate cert
I am a huge fan of the CLI but for some reason I never feel comfortable doing certificate stuff at the CLI.
Go to the ASDM. Navigate to Configuration > Device Management > Certificate Management > CA Certificates.
Then copy and paste your intermediate CA certificate in the box. You can copy the whole thing including the “BEGIN” and “END” lines in your certificate.
Click install certificate and this should then install and you should see your CA certificate in the list of certificates. Make sure the expiry date is far into the future (at least greater than your certificate).
If this comes back and says “Certificate install failed” then make sure you’re certificate is in pem format when pasting in and make sure it’s an intermediary CA cert and not your primary cert.
Add the certificate to the ASA
In the ASDM. Navigate to Configuration > Device Management > Certificate Management > Identity Certificates.
The ASA refers to certificates as “TrustPoints”. You can give it any name you want but remember it because we’ll refer to it later.
Choose to “import the identity certificate from a file”.
Enter the password you used when you created the pkcs12 file (explained earlier in this post).
Browse to the pkcs12 file you create earlier.
Click Add Certificate.
If all went well then you should see your new certificate added to the list. Verify the date is in the future and also verify the clock on the ASA is correct (show clock).
Assign the certificate to an interface
In the ASDM. Navigate to Configuration > Device Management > Advanced > SSL Settings.
Here you can see which certificate is going to be placed on which interface.
Select the interface you wish to add the certificate to and either double click or hit edit.
Select the new certificate trustpoint you created earlier.
Click Apply for the popup and then Apply at the bottom of the ASDM screen.
Verify the certificate
Open a web browser like Firefox and navigate to the URL of your ASA using https. Click the little lock icon in the URL field. Click “more information” then “view certificates”. Here you should be able to confirm that the certificate you added to the ASA is the same as what you see in the browser.
If it still looks like the old certificate you used to have in there try opening a different browser. Browsers often cache the certificate. Once the cache times out or the user clears the cache the new certificate will be present.