ASA certificates and OpenSSL

While messing with a Cisco ASA, I needed to pull a certificate out of the config. While trying to parse it with openssl, it wasn’t pleased with the PKCS12 format file it claims to have exported:

139708630054816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:\
   wrong tag:tasn_dec.c:1319:
139708630054816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:\
   nested asn1 error:tasn_dec.c:381:Type=PKCS12

Even windows wouldn’t have a bar of it, which is unsurprising. Its certificate handling’s for shit anyway. I found the answer is here on StackOverflow (of course): OpenSSL cannot convert PKCS12 exported from Cisco ASA 55xx .

Exporting the file as certfile.pfx I then used the enc command to convert it from the ASA’s Base64 format to OpenSSL’s binary format:

$ openssl -enc base64 -d -in certfile.pfx -out converted.pfx

The -d flag is “decrypt” :)

To get the cert and key out to a single bundle file run the following command.

$ openssl pkcs12 -in converted.pfx -out bundle.pem -clcerts -nodes

This will put it in the usual pair-of-PEMs format, allowing you to use them in another system as you would with normal PEM files. :)


Tags: PKI ASA OpenSSL HOWTO