Go to the top

Importing SSL Key and Certificate on ASA for Anyconnect – CLI

Ziaul / Network Security, VPN /

Below are the steps to successfully import and use third party SSL certificate on ASA for Clientless SSLVPN and the AnyConnect client connections. Its fairly simple when the key is generated and CSR requested from ASA and then 3rd party certificate is imported. The steps below would focus the situation where the certificate already exists on different hardware and we would need to import the key and certificate on ASA hardware via CLI.


  • From different vendor hardware, the certificate would need to be exported as  PKCS12 format (.pfx). It would include the private key and the certificate.
  • Using OpenSSL the .pfx file would need to be exported as .base64. Process to install OpenSSL in winsows is here (02/08/2018). I have installed using Win64 OpenSSL v1.1.0h. Further guideline is available here (02/08/2018).
openssl base64 -in xxxxx.pfx -out xxxxx.base64
  • On ASA the certificate and key can now be imported. The pass-phase will be the same that was set during export. Please note that no trustpoint would need to be created beforehand. The key and certificate would be imported and trustpoint would be created.
crypto ca import trustpoint-name pkcs12 pass-phrase
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
INFO: Import PKCS12 operation completed successfully
  • Link the newly created trustpoint to the appropriate interface
ssl trust-point trustpoint-name outside



show crypto ca certificate



Leave a Comment