Install ASA Certificates

You must upload the digital certificates as trustpoint objects and install them on the ASA devices managed by CDO.

Note

Ensure that the ASA device has no out-of-band changes, and all staged changes have been deployed.

The following lists the digital certificates and formats supported by CDO:

  • Identity Certificate can be installed using the following methods:

    • PKCS12 file import.

    • Self-Signed certificate

    • Certificate Signing Request (CSR) import.

  • Trusted CA Certificate can be installed using PEM or DER format.

Watch the screencast demonstrates the steps for installing certificates on ASA using CDO. It also shows steps for modifying, exporting, and deleting installed certificates.

Supported Certificate Formats

  • PKCS12: PKCS#12, P12, or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12.

  • PEM: PEM (originally “Privacy Enhanced Mail”) files contain ASCII (or Base64) encoding data and the certificate files can be in .pem, .crt, .cer, or .key formats. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.

  • DER: DER (Distinguished Encoding Rules) format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der, but it often has a file extension of .cer, so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE-----.

Trustpoints Screen

After onboarding the ASA device into CDO, on the Inventory tab, select the ASA device and in the Management pane on the left, click Trustpoints.

In the Trustpoints tab, you'll see the certificates that are already installed on the device.

  • The "Installed" status indicates that the corresponding certificate is installed successfully on the device.

  • The "Unknown" status indicates that the corresponding certificate doesn't contain any information. You need to remove and upload it again with the correct details. CDO discovers all the unknown certificates as trusted CA certificates.

  • Click the row that shows "Installed" to view certificate details on the right pane. Click more to see additional details of the selected certificate.

  • An installed Identity Certificate can be exported in PKCS12 or PEM format and imported into other ASA devices. See Exporting an Identity Certificate.

  • Only the advanced settings can be modified on an installed certificate.

    • Click Edit to modify the advanced settings.

    • After making the changes, click Send to install the updated certificate.