Using the encryption capabilities of the SSL VPN device requires adding a key and certificate

that conforms to the X.509 standard to the SSL VPN device. If you have more than one SSL

VPN device in a cluster, the key and certificate need only be added to one of the devices. As

with configuration changes, the information is automatically propagated to all other devices in

NOTE – When using an ASA 310-FIPS running in FIPS mode, the private key associated with

a certificate cannot be imported. All private keys must be generated on the HSM card itself due

There are two ways to install a key and certificate into the SSL VPN device:

Copy-and-paste the key/certificate.

Download the key/certificate from a TFTP/FTP server.

The SSL VPN device supports importing certificates and keys in these formats:

PEM

NET

DER

PKCS7 (certificate only)

PKCS8 (keys only, used in WebLogic)

PKCS12 (also known as PFX)

Besides these formats, keys in the proprietary format used in MS IIS 4 can be imported by the

SSL VPN device, as wells as keys from Netscape Enterprise Server or iPlanet Server. Importing

keys from Netscape Enterprise Server or iPlanet Server however, require that you first use

a conversion tool. For more information about the conversion tool, contact Nortel Networks.

When it comes to exporting certificates and keys from the SSL VPN device, you can specify to

save in the PEM, NET, DER, or PKCS12 format when using the export command. If you

choose to use the display command (which requires a copy-and-paste operation), you are

restricted to saving certificates and keys in the PEM format only.

NOTE – When performing a copy-and-paste operation to add a certificate or key, you must

always use the PEM format.

Copy-and-Paste Certificates

The following steps demonstrate how to add a certificate using the copy-and-paste method.

NOTE – If you connect to one of the SSL VPN devices in the cluster by using a console connection, note that HyperTerminal under Microsoft Windows may be slow to complete copyand-paste operations. If your security policy permits enabling Telnet or SSH access to the SSLVPN device, use a Telnet or SSH client and connect to the Management IP address instead.

1. Type the following command from the Main menu prompt to start adding a certificate.

In most cases you should specify the same certificate number as the certificate number you

used when generating the CSR. By doing so, you do not have to add the private key because

this key remains connected to the certificate number that you used when you generated the

CSR.

If you have obtained a key and a certificate by other means than generating a CSR using the

request command on the SSL VPN device, specify a certificate number not used by a configured

certificate before pasting the certificate. If the private key and the certificate are not

contained in the same file, use the key or import command to add the corresponding private

key.

To view basic information about configured certificates, use the /info/certs command.

The information displayed lists all configured certificates by their main attributes.

2. Copy the contents of your certificate file.

Open the certificate file you have received from a CA in a text editor and copy the entire contents.

Make sure the selected text includes the “-----BEGIN CERTIFICATE-----” and

“-----END CERTIFICATE-----” lines.

3. Paste the contents of the certificate file at the command prompt.

Now, paste the certificate at the command line interface prompt, press ENTER to create a new

empty line, and then type “ ... ” (without the quotation marks). Press ENTER again to complete

the installation of the certificate.

>> Main# cfg/ssl/cert

Enter certificate number: (1-) <number of the certificate you want to configure>

>> Certificate 1# cert

Paste the certificate, press Enter to create a new line, and then

type "..." (without the quotation marks) to terminate.

>Your screen output should now resemble the following example:

>> Certificate 1# cert

Paste the certificate, press Enter to create a new line, and then

type "..." (without the quotation marks) to terminate.

> -----BEGIN CERTIFICATE-----

> MIIDTDCCArWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJzZTEO

> MAwGA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9sbTEMMAoGA1UEChMDZG9j

> MQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5jb20xGTAXBgkqhkiG9w0B

> CQEWCnR0dEBjY2MuZG4wHhcNMDAxMjIyMDkxOTI0WhcNMDExMjIyMDkxOTI0WjB9

> MQswCQYDVQQGEwJzZTEOMAwGA1UECBMFa2lzdGExEjAQBgNVBAcTCXN0b2NraG9s

> bTEMMAoGA1UEChMDZG9jMQ0wCwYDVQQLEwRibHVlMRIwEAYDVQQDEwl3d3cuYS5j

> b20xGTAXBgkqhkiG9w0BCQEWCnR0dEBjY2MuZG4wgZ8wDQYJKoZIhvcNAQEBBQAD

> gY0AMIGJAoGBALXym9cIVfHZUZFE1MFi+xefDviIEvilnJAQSSPITnZa69fzGcL3

> vpQv0NLxNffs1jEw4RPDMKu2rQ9N02EiiJcrCHnaSNZPdwGoX39IkEUkANzm3mh2

> DlP1RfW4ejpNKsG5Tme/e1vFYWXeXXI1oRtdPIaVGxK8pvqBEHDXCcJlAgMBAAGj

> gdswgdgwHQYDVR0OBBYEFJBM3K0KB03fpCOVrQCC34hovwM8MIGoBgNVHSMEgaAw

> gZ2AFJBM3K0KB03fpCOVrQCC34hovwM8oYGBpH8wfTELMAkGA1UEBhMCc2UxDjAM

> BgNVBAgTBWtpc3RhMRIwEAYDVQQHEwlzdG9ja2hvbG0xDDAKBgNVBAoTA2RvYzEN

> MAsGA1UECxMEYmx1ZTESMBAGA1UEAxMJd3d3LmEuY29tMRkwFwYJKoZIhvcNAQkB

> Fgp0dHRAY2NjLmRuggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA

> m/GKwEyDKCm2qdPt8+pz1znSGNaRTxfK1R0mjtnDGFb0qk+Bv7d9YlX+1QTZhxnZ

> Z4JXuWPJS36kAwiirVbOIaIforIVa+IUlo8HUjMvxzIqCYPiiDwBcBi3NsvjlFM7

> i24Q+lvDLE/Ko+x/YEnNukfp3SBXiJqZ8WZIvbTCyT4=

> -----END CERTIFICATE-----

> ...

Certificate added.

NOTE – Depending on the type of certificate the CA generates (registered or chain), your certificate may appear substantially different from the one shown above. Be sure to copy and

paste the entire contents of the certificate file.

4. Apply your changes.

If you have used the request command on the SSL VPN device to generate a CSR, and have

specified the same certificate number as the CSR when pasting the contents of the certificate

file, your certificate is now fully installed.

If you have obtained a certificate by other means, however, you must also add the corresponding

private key.

Copy-and-Paste Private Key

1. Type the following command from the Main menu prompt to start adding a private key.

Make sure you specify the same certificate number as when pasting the certificate.

2. Copy the contents of your private key file.

Locate the file containing your private key. Make sure the key file corresponds with the certificate

file you have received from a CA. The public key contained in the certificate works in

concert with the related private key when handling SSL transactions.

Open the key file in a text editor and copy the entire contents. Make sure the selected text

includes the “-----BEGIN RSA PRIVATE KEY-----” and “-----END RSA PRIVATE

KEY-----” lines.

3. Paste the contents of the key file at the command prompt.

Now, paste the private key at the command line interface prompt. Press ENTER to create a

new row, and then type “ ... ” (without the quotation marks). Press ENTER again to complete

the installation of the key.

You may be prompted for a password phrase after having completed the paste operation. The

password phrase you are requested to type is the one you specified when creating (or exporting)

the private key.

>> Main# cfg/ssl/cert

Enter certificate number: (1-) <number of the certificate you want to configure>

>> Certificate 1# key

Paste the key, press Enter to create a new line, and then type "..."

(without the quotation marks) to terminate.

>Your screen output should now resemble the following example.

Your certificate and private key is now fully installed and ready to be taken into use by a virtual

SSL server. To view information about configured certificates and SSL servers, use the

/cfg/ssl/cur command.

>> Certificate 1# key

Paste the key, press Enter to create a new line, and then type "..."

(without the quotation marks) to terminate.

> -----BEGIN RSA PRIVATE KEY-----

> Proc-Type: 4,ENCRYPTED

> DEK-Info: DES-EDE3-CBC,2C60C89FEB57A853

>

> MbbLDYlwdbNfXUGHFm10nfRlI+KTnx2Bdx750EaG8HSVV7KrtnsNF/Fsz1jFvO/j

> nKhZfs4zsVrsstrVlqfP1uatg19VyJSEug1ZcCamH59Dcy+UNocFWCzR56PHpyZK

> GXX66jS+6twYdiXQk58URIudkmGXGTYMvBRuVjV22ZRLyJk41Az5nA6HiDz6GGs6

> vkCaPFGm263KxmXjy/okNgSJl9QTqJfSq7Eh1cIslBReAE9HXGl0Eubb6gVJu+sR

> mGhS/yGx4vMx98wiMjL37gRtXBfDWlu6u0HOPeJxs6fH05fYzmnpwAHj592TDFds

> Ji5pmrY0NhAeXfuG8mF/T9nEz02ZA8iQGJsaUPfkeBxbZS+umY/R65Okwt1k2RN4

> RlFnmRWqvhHMrHzJuegez/806YazHBv74sOg3KgETRH92z5yvwbgFwmffgb+hai0

> RlRtZgQ4A5kSAFYW37KDq6eJBsZ/m3Que1buMbh8tRxdGpo54+bGqu5b12iLanLn

> Rk57ENQGTgzxOD/1RZIJHqObCY7VDLkK7WZM/LPa0k+bTeAysmZa7fu7gvELJF0i

> vszs3nzm7zT1y0mJ0QX9u9eoW8wpASCAdCC2r2LZt8o9+IWLSZWh5UCIr8qFKGiL

> rUIx8coIhxSpx/PqEV8KhSRV+0taq0N7pJa3TLmO3o80t5966VSFKc3Y35fx9Yk8

> G+RlSzo4CxooY4bCKsfchnJ957SJx5vUyh6jjztnuU4iAfeTVCUdF0LXd+NlQ7T7

> IMFsjjx9SZuuHPZTF0KD/WYLx7FfIFIBHDumu6scraYZOaWaJKI5Pw==

> -----END RSA PRIVATE KEY-----

> ...

Enter pass phrase:

Key added

>> Certificate 1# apply

4. Apply your changes.

Changes applied successfully.

Using TFTP or FTP to Add Certificates and Keys

The following is an example of how to input a certificate into the SSL VPN device using TFTP

or FTP.

1. Put the certificate file and key file on your TFTP/FTP server.

NOTE – You may arrange to include your private key in the certificate file. When the specified

certificate file is retrieved from the TFTP/FTP server, the SSL VPN software will analyze the

contents and automatically add the private key, if present (the screen output displays “Certificate

added” and “Key added” in this case). If the private key is included, you do not have to

perform step 3.

2. Initiate the process of adding a certificate using TFTP or FTP.

Type the command /cfg/ssl/cert and press ENTER. Specify an unused certificate index

number, and then type the command import .

Make sure to specify a certificate number not in use by an existing certificate. To view basic

information about all configured certificates, use the /info/certs command.

Provided the operation was successful, your screen output should resemble the following

example:

>> Main# cfg/ssl/cert

Enter certificate number: (1-) <number of the certificate you want to configure>

>> Certificate 1# import

Select TFTP or FTP (tftp/ftp) [tftp]: <transfer method>

Enter host name or IP address of server: <server host name or IP address>

Enter filename on server: <filename.crt>

Retrieving filename.crt from server

>> Certificate 1# import

Select TFTP or FTP (tftp/ftp) [tftp]: ftp

Enter host name or IP address of server: 192.168.128.58

Enter filename on server: VIP_1.crt

Retrieving VIP_1.crt from 192.168.128.58

Key added.

Certificate added.

3. Add your private key using TFTP or FTP.

Type the command import and press ENTER. Provide the required information. You may be

prompted for a password phrase (if specified when creating or exporting the private key).

Provided the operation was successful, your screen output should resemble the following

example:

Your certificate and private key is now fully installed and ready to be taken into use by a virtual

SSL server. To view basic information about configured certificates and SSL servers, use

the /cfg/ssl/cur command.

>> Certificate 1# import

Select TFTP or FTP (tftp/ftp) [tftp]: <transfer method>

Enter host name or IP address of server: <server host name or IP address>

Enter filename on server: <filename.key>

Retrieving filename.key from server

Enter pass phrase:

>> Certificate 1# import

Select TFTP or FTP (tftp/ftp) [tftp]: ftp

Enter host name or IP address of server: 192.168.128.58

Enter filename on server: VIP_1.key

Retrieving VIP_1.key from 192.168.128.58

Enter pass phrase:

Key added.

4. Apply your changes.

>> Certificate 1# apply

Changes applied successfully.

Update Existing Certificate Whenever you wish to substitute an existing certificate for a new certificate, you should keep the existing certificate until it is verified that the new certificate works as designed. Create a New Certificate 1. Check the certificate numbers currently in use. If e.g. two different certificates exist as Certificate 1 and Certificate 2, create Certificate 3 for your new certificate. 2. Add a certificate with a new certificate number. 3. Add the new certificate according to the instructions as shown above. 4. Apply the new certificate to the desired servers. After you have tested that the new certificate works fine on your SSL servers you may delete the old certificate(s). >> Main# cfg/ssl/ >> SSL# cur >> SSL# cert Enter certificate number: (1-1500) 3 Creating Certificate 3 >> SSL# server Enter virtual server number: (1-256) 1 >> Server 1# ssl >> SSL Settings# cert Current value: 2 Enter certificate number: (1-1500) 3

These instructions were taken from the "User's Guide for SSL Acceleration - SSL VPN v.4.2" available on the Nortel homepage at the following link