A colleague messaged me last week because he could not import a certificate on a FortiGate (that had been exported from a Cisco ASA). He was seeing this error;
Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert.
FortiGate Certificate Problems
A brief Google led me to ask “Is the FortGate licensed or on a Free/Trial license?” As that can produce this error {apparently}. But for us this was not the problem.
This was happening because the ASA (like Windows) exports its certificates in ‘base64‘ encoding and the FortiGate does not like that, so it throws its toys out of the pram. Firstly ENSURE you exported the certificate as a PKCS12 file like so,
Otherwise the certificate will NOT be exported with its private key, and if you import a certificate into a FortiGate without the private key you will get this error;
Certificate file is duplicated for CA/LOCAL./REMOTE/CRL cert.
We now have a copy of our exported ‘base64 encoded’ certificate. (Note: It has no file extension, don’t panic!) If it was extracted from Windows, it might have a .PFX extension. If yours does, simply use the following commands with that file extension.
And put it on a machine that has OpenSSL installed, or if like me you’re a macOS user copy it there, (OpenSSL is installed by default). Firstly we have to decode the extracted certificate;
Given my background I’m usually more comfortable connecting to Azure with a Route Based VPN from a hardware device, like a Cisco ASA. I got an email this afternoon, a client had a server in a private cloud and a server in Azure, they needed to transfer files from the Azure server to the server in the private cloud. Now on further investigation this client had a Cisco vASA so a VPN was the best option for them, (probably).
But what if they didn’t? Or what if they were ‘working from home’ and needed to access their Azure servers that were not otherwise publicly accessible?
Well the Microsoft solution for that is called an ‘Azure Point to Site VPN‘, even though in the current Azure UI they’ve called it ‘User VPN Configuration‘, because ‘Hey! Screw consistency and documentation that goes out of date every time a developer has a bright idea, and updates the UI’ Note: I have a thing about things being changed in GUIs!
So regardless whether you are on or off the corporate LAN, you can connect to your Azure Virtual Networks.
Azure VPN (Remote Access)
This is not a full Azure tutorial, I’m assuming, as you want to connect to existing Azure resources, you will already have most of this setup already. But, just to quickly run through. You will need a Resource Group, and in that Resource Group you will need a Virtual Network. (Note: I like to delete the ‘default‘ subnet and create one with a sensible name).
So far so good, within your virtual network you will need to create, (if you don’t already have one,) a ‘Gateway Subnet‘. To annoy the other network engineers, I’ve made it a /24, but to be honest a /29 is usually good enough).
Now to terminate a VPN, you need a ‘Virtual Network Gateway‘.
Make sure it’s set for VPN (Route Based) > Connected to your Virtual Network > Either create (or assign) a public IP to it. I told you I’d be quick, however the Gateway will take a few minutes to deploy, (time for a coffee.)
Now launch ‘certmgr‘ and you will see the two certificates. Firstly, export the client certificate.
Yes you want to export the private key > You want to Save it as a .PFX file > Create a password for the certificate (MAKE NOTE OF IT!) > Save it somewhere you can get to, (you will need it in a minute).
Secondly, export the Root CA certificate.
You DON’T export the private key > Save as Base-64 encoded > Again save it somewhere sensible, you will also need it in a minute.
Open the ROOT CA CERT with Notepad, and copy all the text BETWEEN —-BEGIN CERTIFICATE—- and —-END CERTIFICATE—- Note: This is unlike most scenarios, when working with PEM files, where you select everything, (it tripped me up!)
Back in Azure > Select your Virtual Network Gateway > Select ‘User VPN Connection’ (seriously, thanks Microsoft be consistent eh!) > ‘Configure now‘.
Pick an address pool for your remote clients to use, (make sure it does not overlap with any of your assets, and don’t use 192.168.1.0/24, or 192.168.0.0/24, Note: These will work, but most home networks use these ranges, and let’s not build in potential routing problems before we start!)
Choose IKEv2 and SSTP > Authentication Type = Azure Certificate > Enter your Root CA details, and paste in the PEM text, you copied above > Save > Time for another coffee!
When is stopped deploying, you can download the the VPN client software.
Azure Point to Site (User VPN) Client Configuration
So for your client(s) you will need the ClientCertificate, (the one in PFX format,*) and the VPN Client software > Double click the PFX file > Accept ‘Current User‘.
*Note: Unless you deployed user certificates already, and your corporate Root Cert was entered into Azure above.
Type in the certificate password you created above > Accept all the defaults.
Yes.
Now install the Client VPN software, you may get some security warnings, accept them and install.
Now you will have a configured VPN connection. I’m a keyboard warrior so I usually run ncpa.cpl to get to my network settings, (because it works on all versions of Windows back to NT4, and ‘developers’ haven’t changed the way it launches 1006 times!)
Launch the Connection > Connect > Tick the ‘Do not show…‘ option > Continue > If it works, everything will just disappear and you will be connected.
Related Articles, References, Credits, or External Links
When attempting to import a certificate into Exchange last week, this happened;
A special Rpc error occurs on the server {Server-Name}: Cannot import certificate. A certificate with the thumbprint {Thumbprint} already exists.
Solution
This is a symptom of another problem, the certificate WAS previously imported, but it can’t be seen in the Exchange Admin Console. (The reason in that case was the certificate was missing its private key). Or this problem can exist because the certificate was imported manually outside of Exchange.
Locate and delete the duplicate certificate (Note: Here you can see the cert is missing its private key, as its visibly missing from the certificates icon). That will need to be corrected before you attempt to re-import this certificate, or it won’t be visible in the Exchange Admin Console, or visible if you run Get-ExchangeCertificate in a PowerShell window.
Related Articles, References, Credits, or External Links
Remember if you use the standard ‘Web Server’ template then this does not allow you to export the private key of a certificate, so clone your template and allow the private key to be exported, then use that cloned template to create your wildcard cert.
Open the certificate on a Windows machine > Install Certificate.
Select ‘Local Machine’ > Next.
Manually put the certificate in the ‘Personal’ container > OK > Next.
Now open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > All Tasks > Export.
Note: Make sure there is a small key icon over the cert, if not create a new one or follow this article.
Yes ‘Export the private key’, (if you don’t see this page, then you have done something wrong).
Export as PKCS 12 (PFX) > Next.
Set a password, (you will need this in a minute, so don’t forget it) > Next.
Save the exported cert with a pfx extension > Next.
OK
Now EXPORT THE CERT AGAIN, this time you DO NOT want to export the private key. This time you want to export it as Base 64 (CER) > Follow the wizard and save it in the same location as the PFX file you exported earlier.
So now you should have two exported certificates like this;
Log into the NetScaler > Configuration > Traffic Management > SSL > Import PKCS#12.
Set the Output Name file to have a .key extension and call it something sensible > Browse to your PFX file > Enter the import password > set a PEM Passphrase, (set it the same as the export password for simplicity) > OK.
Now navigate to Configuration > Traffic Management > SSL > Certificates > Add.
Again give it a sensible name that you can identify like the FQDN, call it certificate and you will have problems down the line when you have loads of certificates! For ‘Certificate File Name’ browse to the .CER file you exported earlier. For ‘Key File Name’ browse the appliance and select the .KEY file you created above. Type in the PEM password > Install.
You can now assign this certificate without error.
Related Articles, References, Credits, or External Links
Originally we had TS Web in 2003, and while I had a little play with it, it basically just gave you RDP over web, which would have been good if it ran over HTTP or HTTPS, but it didn’t. Also, as anyone who has ever done a complex Google search for “/tsweb” will testify, left a nice big security hole in to your servers.
With the release of Server 2008 we got TSWeb 2008, this was a whole different beast, and the web portal was very similar in operation to Citrix Web Presentation Server.
With Server 2008 R2, Terminal Services became Remote Desktop Services, so if you only have a couple of clients (i.e. don’t need an application farm etc,) then this might be just what you need, and buying licences for Remote Desktop Services is a LOT cheaper than buying the same licences plus Citrix licences that are about three times the price per seat.
I originally wrote this for TSWeb 2008, and updated it for Remote Desktop Services 2008 R2, I’ll leave the older information at the bottom for anyone who is still running 2008 R1.
Solution
Setup Remote Desktop Services Web Access on Server 2008 R2
1. In this example I’ve got a fresh server which is a domain member, and I’m going to put the Licensing server and the same box. From server manager (ServerManager.msc) >Roles > Add Roles > Next > Remote Desktop Services > Next > Next.
2. Everything is going on one server, you may want to split roles up in a larger production environment, but here we are adding Remote Desktop Session Host, Remote Desktop Licensing, Remote Desktop Gateway > Remote Desktop Web Access > Next > Next.
Note: When selecting role services, you will be prompted to “add required role services”, please do so.
3. I’m choosing the least secure method (choose this if you have older client running older versions of the RDP client) > Next > Either select a Licensing model (per user or per device, or select configure later) > Next.
Note: The licensing model chosen MUST match the CALS that will be in the licensing server. (If you are unsure configure it later, then you will have 120 days grace period to sort it out).
4. Add in which user groups to want to allow access to the host server > Next.
5. Decide which options you want to allow, to enrich your end user experience > Next > I dont need a scope as all my RD Servers will be 2008 R2, it you have TS servers as well you will need to configure a scope > Next.
6. If you already have a certificate you can select it here, I’m going to manually import the certificate into IIS at the end of the procedure > Select “Now” to configure the access policies > Next.
7. Add in which user groups you want to allow through the Remote Desktop Gateway > Next.
8. At the RDCAP screen, I’m just going to use passwords > Next > Then at the RDRAP screen, I’m going to allow connections TO ANY computer > Next > Next > let it install the Network Policy Server component > Next.
9. Install > Then go and have a coffee.
10. When completed, select yes to reboot which it will do (twice).
11. After you log back into Windows the installation will complete > Close
Import and Enable a Digital Certificate in IIS7
12. Start > Administrative tools > Internet Information Services Manager > Select the {server-name} > Server certificates > From here you can either create a certificate request, or complete a request, and import a certificate.
13. Here is my certificate with the “friendly name” WebServer.
14. To enable my certificate right click the “Default Web Site” (Assuming that’s where you have RDWeb installed) > Edit Bindings.
15. Select HTTPS > Edit > And select your SSL certificate > OK.
16. Restart the website (or run “iisreset /noforce” from command line).
18. Anything that needs configuring will have a yellow warning triangle, or a red cross over it. First you will see it’s complaining that there are no computers in the “TS Web Access Computer ” group.
19. That’s just a LOCAL group on the server itself, launch ServerManager >Configuration > Local Users and Groups > Groups > Locate the group.
20. Add in your groups as required > Apply >OK.
21. Back in the RemoteApp Manger > Check the RD Session Host Server >Settings (on the menu on the right) > Make sure the PUBLIC name (which will be the CN on your digital certificate) is displayed NOT the LOCAL FQDN of the server. You can also tick the option (shown with the arrow) to display the RDP shortcut to your users on the web portal. > Apply > OK.
22. To do the next step, you need to have the applications you want to give to your users, actually installed on the server. > Either right click at the bottom, or select “Add RemoteApp Programs”.
23. Follow the wizard, and select the programs as required.
24. Click refresh > Make sure there’s no more red/yellow warnings > Close RemoteApp Manager.
25. To test it, connect to your server on https://{servername}/RDWeb and log in.
26. You applications should be shown, give them a test, here I’ll launch Outlook.
27. I already have Outlook configured on the Remote Desktop Server so mine just opens (your users will need to setup Outlook, if they don’t have a profile on the RD server already).
Setup Terminal Services Web Access on Server 2008 R1
1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter) > Add Roles..
3. Select the application you require or browse to its Executable > Next. >
4. Finish.
Connecting from a client
1. On a Client PC open internet explorer > Navigate to http://{serverIP or name}/ts > Note: If you do not have ActiveX enabled and the latest RDP client you may see this error.
2. There’s your applications > simply select one.
3. Enter your login credentials.
4. Wait for the application to deploy.
5. And there you go 🙂
Related Articles, References, Credits, or External Links
Out of the box Exchange 2007 and 2010 comes with a “Self Signed” digital certificate. That’s OK for getting you up and running but your Outlook clients may start to see the error below.
Error:
Security Alert
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
The security certificate was issued by a company you have chosen not to trust. View the Certificate to determine whether you want to trust the certifying authority.
Solution
You have a number of options to stop this error.
Option 1 (This is WHAT YOU SHOULD DO!)
You should purchase a certificate signed by a trusted certification authority, these used to cost a fortune, but if you shop around you can pick them up very cheaply.
Option 2 (Free, and handy if you don’t have a lot of clients)
It still amazes me that people with pay out for a new server, and Exchange, but then refuse to buy a certificate? But if your reading this then that might well be you. You can choose to trust the certificate that’s being presented to you. You carry out this procedure on each Outlook client. If you have a lot of Outlook clients then skip to options 3 and 4).
1. First, start up Outlook and get the error message on the screen.
Install your own certification authority, and sign your own Exchange certificate. Great if you already have a CA, though it’s a mess about just to solve this problem.
Related Articles, References, Credits, or External Links
Exchange 2013/2016 Migration Step 8 Migrating Certificates from 2010 to 2016
Only consider doing this if you have a purchased (i.e. NOT using a self signed) certificate on your Exchange 2010 server. Bear in mind if you have the internalFQDN of your Exchange 2010 server as a SAN (Subject Alternative Name), then you cannot renew the certificate if it lasts longer than November 2013, so you might want to purchase a new one anyway.
Also make sure the public name of the server resolves to the public IP of the new server (or you change the port forwarding for HTTPS traffic to point to the new server).
1. On the Exchange 2010 Server > Launch the Exchange Management Console > Server Configuration > Select the certificate > Export Exchange Certificate.
2. Select a location to save the exported cert > supply a password > Next.
3. Finish.
4. On the Exchange 2013/2016 Server > Launch the Exchange Admin Center > Servers > Certificates > Select the ‘more options’ icon > Import Exchange Certificate.
5. Put in the path to where you saved the exported cert, and the password you used > Next.
6. Add in the Exchange 2016 Server > Finish.
7. Select the new certificate > Edit > Services > Select the service for which you want to use the certificate. Note: I don’t have Unified Messaging so I’m selecting all the other options > Save.
8. Answer ‘Yes’ to replace the self signed certificate that Exchange 2016 installs by default.
9. You can then open Outlook Web Access and give it a test (Remember to change the DNS records so that the Common Name on the certificate points to the new Exchange 2016 server).
Before doing this: Have a quick common sense check!
Do you need to migrate any Transport rules? (For Exchange Disclaimers etc).
Do you need to change any Journaling settings for your third party Email Archive solutions etc.
Do you need to replicate ant receive connectors from the old email server to the new one? (For Scanners, Photocopiers, SharePoint, SQL Mail, SAP, etc).
1. Before we can retire the old server we need to remove its databases, even though we have moved all the user mailboxes, If you try and delete the database it will complain that’s its not empty. This is because it will have either Archive or Arbitration mailboxes in it. To see, execute the following commands;
[box]
Get-Mailbox -Archive
Get-Mailbox -Arbitration
OR, If you have multiple source databases use the following syntax,
As you can see (in the diagram below) I have Arbitration mailboxes left in the old Exchange 2010 database, to move them use the following command, Note: Execute this command from the Exchange 2013 Server!
2. Wait a while and then check that they have moved. Note: You can check status with ‘Get-MoveRequest’.
3. In the Exchange Management Console > Organization Configuration > Mailbox > Database Management > Select the mailbox database > right click > Dismount Database.
4. Now Remove the database > Yes.
5. OK.
6. Offline Address Book Tab > Default Offline Address Book > Remove > Yes.
Note: If this OAB is still in use you will NOT be able to remove it, Go to the Address Book Policies tab > Change the default OAB from the 2010 one to the 2013 one.
7. If you try and remove the public folder database it will complain that it contains replicas, which you cant remove. The easiest way I’ve found to remove it is as follows. Dismount the public folder database.
8. Then delete (or move if you are paranoid) the database file (.edb file) and the logs for this database.
9. Then mount the database > Yes to all > It will mount a blank empty database.
10. You can now delete the database without error.
11. OK.
12. Close Exchange System Manager > Start > In the search/run box >appwiz.cpl {Enter} > Locate Microsoft Exchange Server 2010 > Uninstall.
13. Next.
14. Untick all the installed roles > Untick Management tools > Next.
15. Uninstall.
16. Finish.
Exchange 2013/2016 Migration Step 9 ‘Finish Up’
Remember if you are keeping this server, you might want to delete all the database files which get left behind. You will also want to change your backup software so that it is pointing to the new mailboxes/databases.
Related Articles, References, Credits, or External Links
Thanks to Shawn Welker for the Arbitration/Archive feedback
Thanks to leandro.chiesa for the OAB feedback
Given the amount of ASA work I do it’s surprising that the first time I saw an ASA 5506-X was last week (I’ve been working on larger firewalls for a while). I’m probably going to have to do a few of these over the next couple of years so I’ll update this article as things surface.
Solution
Q: Can I just copy the config from an ASA 5505 to an ASA 5506-X?
A: No, that would be nice, truth be told if the 5505 is running an OS newer than 8.3, about 90% of the config can be copy/pasted if you know what you are doing.
The ASA 5506 Interfaces are different.
Unlike its predecessor (and just about all other Cisco equipment), the interfaces start at number 1 (the 5505 starts at 0).
The 5506 Interfaces are the opposite way round (left to right).
The 5506 has IP addresses applied to its physical interfaces. Where as the 5505 had IP addresses applied to VLANs and then the physical interfaces were added to the appropriate VLAN. Note: the 5506 still supports VLANs, (5 or 30 with a security plus license).*
*UPDATE: After version 9.7 This has changed (on the 5506-X) See the following article for an explanation;
So let’s say your 5505 has three interfaces called inside, outside, and DMZ, (yours might have different names, and you may only have two,) the relevant parts of the 5505 config would be;
VLAN Note: You might be wondering why no ports have been put into VLAN 1? By default all ports are in VLAN 1, So above, ports 0/1 and 0/3 to 0/7 are all in VLAN 1.
Outside IP Note: Yours may say ‘dhcp setroute’ if it does not have a static IP , that’s fine.
To convert that (Assuming you are NOT going to use the BVI interface, (see link above!);
If you use AnyConnect then prepare for a little hand wringing. The 5505 could support up to 25 SSLVPN connections. On a 5506 they are actually called AnyConnect now, and it supports up to 50.
There is no Essentials license for a 5506-X! Don’t bother looking, you need to get your head into AnyConnect 4 licensing, I’ve already written about that at length.
Q: Does this mean I can’t use my AnyConnect 3 (or earlier) packages in the new 5506?
A: Yes you can, but you will only get two connections, unless you purchase additional Apex/Plus licensing.
I’m working on the assumption that we are going to load in the AnyConnect 4 packages and use those. With that in mind if anyone manages to get them added to their Cisco profile without the ‘Additional Entitlement Required’ then contact me, and let me know how, (link at bottom). I have to ring Cisco and use my employers partner status to get the client software 🙁
In addition to getting new AnyConnect Packages and loading them into the new 5506. If you have an anyconnect XML profile, that will also need copying into the new firewalls flash drive before you can paste the AnyConnect settings in.
Below you can see I’ve got a profile on my 5505.
Tools > File Transfer > File Transfer > Between Local PC and Flash. (Do the reverse to get the file(s) into the new 5506).
Note: You can also do this from CLI by copying the file to a TFTP server.
Below is a typical AnyConnect config from an ASA 5505, I’ve highlighted the lines that will cause you problems.
[box]
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
object network OBJ-ANYCONNECT-SUBNET
subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
anyconnect-essentials<-REMOVE THIS IT'S OBSOLETEanyconnect-win-3.1.05152-k9.pkg 1 <-REPLACE WITH ANYCONNECT 4anyconnect image disk0:/anyconnect-macosx-i386-3.1.04063-k9.pkg 2<-REPLACE WITH ANYCONNECT 4 anyconnect profiles SSL-VPN-POLICY disk0:/PeteNetLive-Profile.xml<-COPY OVER FIRST
anyconnect enable
tunnel-group-list enable
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
split-tunnel-all-dns enable
webvpn
anyconnect profiles value SSL-VPN-POLICY type user
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET
OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!
[/box]
ASA Transferring Certificates From One ASA to Another
I appreciate a lot of you wont be using certificates, and even if you use AnyConnect you just put up with the certificate error. That’s fine, but do me a favor? Before you do anything else go and generate the RSA keys on your new 5506 before you do anything else, (people forgetting to do this has cause me a LOT of grief over the years). So set the host name, domain-name, and then generate the keys like so;
[box]
ciscoasa# configure terminal
Petes-ASA(config)# hostname Petes-ASA
Petes-ASA(config)# domain-name petenetlive.com
Petes-ASA(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Petes-ASA(config)#
[/box]
OK, so if you are still reading this section, then you have at least one certificate, that you need to move to the new firewall. For each scenario here’s what I recommend you do;
Self Signed Certificate from your own PKI / CA Server : Just generate a new cert for the new firewall and import it the same as you did on the old firewall
Externally / Publicly signed certificate that you have paid for: This we will need to export then import onto the new 5506. (Note: If there’s not much time left to run on the validity, it may be easier to get onto the certificate vendor and have a new one reissued to save you having to replace it in a couple of months – just a thought).
If you have purchased a certificate you will have already gone though the process below;
The easiest option for you is to go where you purchased the cert, download it again, and import it into the new firewall. But here’s where you find out you forgot the username and password you used, or the guy who sorted this out has left the company etc. If that is the case all is not lost. You can export an identity certificate, either from the ADSM;
Cisco ASA Export Certificates From ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a ‘pass-phrase’.
Cisco ASA Export Certificates From Command Line.
To do the same at CLI the procedure is as follows;
[box]
Get Your Trustpoint(s) Names
Petes-ASA# show crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Not authenticated.
Trustpoint PNL-Trustpoint-1:
Subject Name:
cn=PNL-DC-PROD-CA
dc=petenetlive
dc=com
Serial Number: 5ec427e4910fa2bf47e1269e7fdd7081
Certificate configured.
Then Export the Certificate(s) for that Trustpoint
Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca export PNL-Trustpoint-1 pkcs12 Password123
Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5
{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}
mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
Petes-ASA(config)#
[/box]
Cisco ASA Import Certificates From ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.
Cisco ASA Import Certificates From Command Line.
To do the same at CLI the procedure is as follows, Note: You need to paste in the text from the output.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# crypto ca import PNL-Trustpoint-1 pkcs12 Password123
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN PKCS12-----
MIISXwIBAzCCEhkGCSqGSIb3DQEHAaCCEgoEghIGMIISAjCCEf4GCSqGSIb3DQEH
BqCCEe8wghHrAgEAMIIR5AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQId/f5
{{{{{{{LOTS OF OUTPUT REMOVED FOR THE SAKE OF BREVITY}}}}}}}}}}}
mLt/6QKDVig6ofxrnvP0tbh9Jmjwe4NkTsJUb+H+7JGvJoUsMD0wITAJBgUrDgMC
GgUABBRCPROoZsdSBfIpwVmvfSSoOxzNCAQUWJ/J9hTkuNd92u4Z3owgrrO3cYIC
AgQA
-----END PKCS12-----
quit
INFO: Import PKCS12 operation completed successfully
Petes-ASA(config)#
[/box]
Assorted Firewall Migration ‘Gotchas’
Time (Clock Setting)
If you do any AAA via Kerberos or LDAP, then not having the time correct on the new ASA might get you locked out of it. I would always suggest setting up NTP so do that before you restart.
Not on the ASA, but on the devices the ASA is connecting to, (routers and switches etc). Unplug an ASA 5505 and plug in an ASA 5506, and nine times out of ten you will not get comms. This is because the device you are connecting to has cached the MAC address of the old firewall in its ARP cache. So either reboot the device, (or it thats not practical, lower the ARP cache to about 30 seconds).
ASA 5505 to 5506 Config To Copy And Paste
Below I’ll put a full config for an ASA 5505. If the text is normal,the commands can be copy and pasted directly into the new firewall. If the text is RED, then you can NOT, and I will have outlined the problems above.