Install a SSL Certificate on a Cisco ASA

To install a certificate on a Cisco ASA firewall, you’ll probably want to use ASDM. Here are the steps:

  1. Select the certificate you want to renew beneath Configuration, Device Management, Identity Certificates, and then click Add.
  2. Under Add Identity Certificate, select the Add a new identity certificate radio button, and choose your key pair from the drop−down menu or create a new key pair.
  3. Enter the appropriate certificate attributes. MAKE SURE TO CLICK ON ‘ADVANCED, AND VERIFY THE FQDN! Once completed, click OK. Then click ‘Add Certificate’.
  4. In the Identity Certificate Request popup window, save your Certificate Signing Request (CSR) to a text file, and click OK. Verify in ASDM that the CSR is pending.
  5. Submit your CSR to get your certificate issued.
  6. Select the pending certificate request under Configuration, Device Management, Identity Certificates, and click Install. In the Install Identity Certificate window, select the Paste the certificate data in base−64 format radio button, and click Install Certificate.
  7. To bind the new certificate to the interface choose Configuration, Device Management, Advanced, SSL Settings. Select your interface under Certificates, and click Edit. Choose your new certificate from the drop−down menu, click OK, and click Apply.

Don’t forget to write your changes!

You can verify the available certs from the CLI using the command

show crypto ca certificates

You can verify the cert is applied to the interface with

show running−config ssl

Using OpenSSL to convert SSL certificate format

OpenSSL Commands

Convert PEM to PFX
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile cert-ca.crt

Convert PFX to PEM
openssl pkcs12 -in cert.pfx -out cert.cer -nodes

Convert PEM to DER
openssl x509 -outform der -in cert.pem -out cert.der

Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile cert.cer -out cert.p7b -certfile cert-ca.cer

Convert DER to PEM
openssl x509 -inform der -in cert.der -out cert.pem

Convert P7B to PEM
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

Convert P7B to PFX
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
openssl pkcs12 -export -in cert.cer -inkey private.key -out cert.pfx -certfile cert-ca.cer

About each format (taken from

PEM Format
The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format. Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format
The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms. The SSL Converter can only convert certificates to DER format. If you need to convert a private key to DER, please use the OpenSSL commands on this page.

PKCS#7/P7B Format
The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format
The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys. When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.


Moving SSL Certificates from IIS to Apache

Export your certificate from IIS, convert, and install in Apache

Steps for moving your secure certificate from IIS to Apache:

Apache web server

1) Export the certificate from IIS. The easiest way to do this is from the MMC Certificates snap-in. Instructions for adding the certificates snap-in to MMC are available at

2) Move the .pfx to your Apache web server.

3) Extract the SSL cert and key from the .pfx file:
# To export the private key from the pfx file:
openssl pkcs12 -in win_cert.pfx -nocerts -out key.pem

# To export the certificate from the pfx file:
openssl pkcs12 -in win_cert.pfx -clcerts -nokeys -out cert.pem

# To remove the password from the key:
openssl rsa -in key.pem -out key_with_no_pw.key

4) Install your certificate. Installing certificates in Apache is easy!


Installing your Secure Certificate – CentOS

Note: The examples below use the following naming conventions: “Your Private Key” = “domainname.key”; “Your Web Server Certificate” = “domainname.crt”

1. Copy the certificate to the Apache server directory in which you plan to store your certificates (by default: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/).

Note: Copy the entire contents of the certificate from (and including) the





2. Open the httpd.conf file in a text editor.

3. Locate the secure virtual host pertaining to your order. You should have the following directives within this virtual host. Please add them if they are not present:

SSLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt (or server.crt)
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key (or server.key)

4. Save the changes and exit the editor.

5. Start or Restart your apache web server using one of the following commands:
By default:
/usr/local/apache/bin/apachectl startssl
/usr/local/apache/bin/apachectl restart

Other commands:
/usr/sbin/httpd startssl or restart
/usr/sbin/httpsd startssl or restart

I prefer: service httpd restart

Note: You may refer to the original ModSSL instructions at:

Test your certificate by using a browser to connect to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.

Note: The padlock icon on your browser will be displayed in the locked position if your certificates are installed correctly and the server is properly configured for SSL.

This SHOULD be incredibly easy. GeoTrust’s simple instructions should do the trick. If you run in to problems, check your ssl error log. I ran into the following:
[error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

This was because I tried to put the cert, key, and csr in /etc/httpd/conf/ssl.crt, /etc/httpd/conf/ssl.key, and /etc/httpd/conf/ssl.csr respectively. I pointed ssl.conf to these locations and attempted to restart apache. Apparently however, from CentOS 5 +, the ssl stuff belongs in /etc/pki/tls. Argh. (Thanks Jacob!)


Generate a CSR – OpenSSL

(thanks Chris and!)
Generate your key:
openssl genrsa -des3 -out 1024
Remove the passphrase:
openssl rsa -in -out
!!!make sure that this .key file is only readable by root and none other (chmod 600)!!!
Generate the CSR:
openssl req -new -key -out