Using the encryption capabilities of the SSL VPN device requires adding a key and certificate
that conforms to the X.509 standard to the SSL VPN device. If you have more than one SSL
VPN device in a cluster, the key and certificate need only be added to one of the devices. As
with configuration changes, the information is automatically propagated to all other devices in
NOTE – When using an ASA 310-FIPS running in FIPS mode, the private key associated with
a certificate cannot be imported. All private keys must be generated on the HSM card itself due
There are two ways to install a key and certificate into the SSL VPN device:
Copy-and-paste the key/certificate.
Download the key/certificate from a TFTP/FTP server.
The SSL VPN device supports importing certificates and keys in these formats:
PEM
NET
DER
PKCS7 (certificate only)
PKCS8 (keys only, used in WebLogic)
PKCS12 (also known as PFX)
Besides these formats, keys in the proprietary format used in MS IIS 4 can be imported by the
SSL VPN device, as wells as keys from Netscape Enterprise Server or iPlanet Server. Importing
keys from Netscape Enterprise Server or iPlanet Server however, require that you first use
a conversion tool. For more information about the conversion tool, contact Nortel Networks.
When it comes to exporting certificates and keys from the SSL VPN device, you can specify to
save in the PEM, NET, DER, or PKCS12 format when using the export command. If you
choose to use the display command (which requires a copy-and-paste operation), you are
restricted to saving certificates and keys in the PEM format only.
NOTE – When performing a copy-and-paste operation to add a certificate or key, you must
always use the PEM format.
Copy-and-Paste Certificates
The following steps demonstrate how to add a certificate using the copy-and-paste method.
NOTE – If you connect to one of the SSL VPN devices in the cluster by using a console connection, note that HyperTerminal under Microsoft Windows may be slow to complete copyand-paste operations. If your security policy permits enabling Telnet or SSH access to the SSLVPN device, use a Telnet or SSH client and connect to the Management IP address instead.
1. Type the following command from the Main menu prompt to start adding a certificate.
In most cases you should specify the same certificate number as the certificate number you
used when generating the CSR. By doing so, you do not have to add the private key because
this key remains connected to the certificate number that you used when you generated the
CSR.
If you have obtained a key and a certificate by other means than generating a CSR using the
request command on the SSL VPN device, specify a certificate number not used by a configured
certificate before pasting the certificate. If the private key and the certificate are not
contained in the same file, use the key or import command to add the corresponding private
key.
To view basic information about configured certificates, use the /info/certs command.
The information displayed lists all configured certificates by their main attributes.
2. Copy the contents of your certificate file.
Open the certificate file you have received from a CA in a text editor and copy the entire contents.
Make sure the selected text includes the “-----BEGIN CERTIFICATE-----” and
“-----END CERTIFICATE-----” lines.
3. Paste the contents of the certificate file at the command prompt.
Now, paste the certificate at the command line interface prompt, press ENTER to create a new
empty line, and then type “...” (without the quotation marks). Press ENTER again to complete
the installation of the certificate.
>> Main# cfg/ssl/cert
Enter certificate number: (1-)
>> Certificate 1# cert
Paste the certificate, press Enter to create a new line, and then
type "..." (without the quotation marks) to terminate.
>Your screen output should now resemble the following example:
>> Certificate 1# cert
Paste the certificate, press Enter to create a new line, and then
type "..." (without the quotation marks) to terminate.
NOTE – Depending on the type of certificate the CA generates (registered or chain), your certificate may appear substantially different from the one shown above. Be sure to copy and
paste the entire contents of the certificate file.
4. Apply your changes.
If you have used the request command on the SSL VPN device to generate a CSR, and have
specified the same certificate number as the CSR when pasting the contents of the certificate
file, your certificate is now fully installed.
If you have obtained a certificate by other means, however, you must also add the corresponding
private key.
Copy-and-Paste Private Key
1. Type the following command from the Main menu prompt to start adding a private key.
Make sure you specify the same certificate number as when pasting the certificate.
2. Copy the contents of your private key file.
Locate the file containing your private key. Make sure the key file corresponds with the certificate
file you have received from a CA. The public key contained in the certificate works in
concert with the related private key when handling SSL transactions.
Open the key file in a text editor and copy the entire contents. Make sure the selected text
includes the “-----BEGIN RSA PRIVATE KEY-----” and “-----END RSA PRIVATE
KEY-----” lines.
3. Paste the contents of the key file at the command prompt.
Now, paste the private key at the command line interface prompt. Press ENTER to create a
new row, and then type “...” (without the quotation marks). Press ENTER again to complete
the installation of the key.
You may be prompted for a password phrase after having completed the paste operation. The
password phrase you are requested to type is the one you specified when creating (or exporting)
the private key.
>> Main# cfg/ssl/cert
Enter certificate number: (1-)
>> Certificate 1# key
Paste the key, press Enter to create a new line, and then type "..."
(without the quotation marks) to terminate.
>Your screen output should now resemble the following example.
Your certificate and private key is now fully installed and ready to be taken into use by a virtual
SSL server. To view information about configured certificates and SSL servers, use the
/cfg/ssl/cur command.
>> Certificate 1# key
Paste the key, press Enter to create a new line, and then type "..."