Monday, October 21, 2013

Backup Certs from Cisco ASA

Understand and Back up Certs from Cisco ASA

Backing up your certificates and private keys is a vital part of Cisco ASA administration. Here is a walkthrough to help even someone who isn't familiar with certificate types get their private key and certificate in clear-text.

This walk-through assumes someone has installed a certificate on your Cisco ASA. This means that the private and public keys and certificate are stored on the ASA, and we can go and get them!

Step 1: Get the Right Tools

Certificates and cryptography are sometimes arcane, because they are done by such a small subset of people. As such, the required tools to backup and convert certificates are not included by default on many linux distributions, and certainly not Windows.

The de facto standard in this area is called OpenSSL. You can read about it here:

Here's how to download and extract/install it on Windows:
1. There is a version of OpenSSL that is compiled for Windows. Click here to visit the download page.

2. Look down the list and download the appropriate OpenSSL.
Windows x32: Win32 OpenSSL v1.0.1e
Windows x64: Win64 OpenSSL v1.0.1e

3. Unzip the file to a location of your choosing. I put it directly on the C: drive for quick access.

Step 2: Get the Certificate from your Cisco ASA/Firewall

1. Open the Cisco ASDM

2. In the top left, click "Configuration"

3. In the bottom left, click "Device Management."

4. In the left column, expand "Certificate Management" and click "Identity Certificates"

5. Click on the certificate you'd like to export and click "Export" in the right column.

6. Choose where to save it. The file type is a .PFX, though Cisco's ASDM won't add that for you. Also add an encryption passphrase for two reasons:
a) Some versions of ASDM won't allow this export to succeed without an encryption passphrase due to a bug.
b) These are the keys to your crypto kingdom. If someone gets this file in cleartext, they can listen to any transmissions from you and pretend to be you on the internet -- not something you want to have to clean up.

7. Copy the certificate to a known location on your local computer.

Step 3: OpenSSL Magicks!, or: How to Convert from Base64 Encoding to Binary

Now's the time for some arcane OpenSSL commands. Cisco stores and exports PFX certificates in base64 encoding, which Windows (and most other applications) can't read. Let's convert it: 

1. Open the command line - WITH ADMIN privs. Else it won't be able to write to your computer, and you'll get all sorts of errors. 

2. Navigate to the root directory for OpenSSL. This is where you stored your files when you unzipped OpenSSL. You'll want to find the directory where OpenSSL.exe is. For me, that's: C:\OpenSSL-Win64\bin

3. Type your version of this command to convert the cert to binary. : 
openssl.exe base64 -in "C:\TempCerts\CiscoASACertExportBase64.pfx" -d -out "C:\TempCerts\CiscoASACertBinary.pfx"

If that all works, you'll see something like this:
WARNING: can't open config file: C:\OpenSSL\bin\openssl.cfg

Not to worry - check your output directory and make sure the certificate has some size other than 0kb. If so, you're golden.

Step 4 (optional): Get your Private Key and Cert in ClearText

WARNING: This is not required. Do this only if you need to get your private key and certificate in clear-text. Again, these are the keys to your kingdom and should not be distributed. 

1. Run a single command: 
openssl.exe pkcs12 -in "C:\TempCerts\CiscoASACertBinary.pfx" -out "C:\TempCerts\CiscoASACertBinaryPEM.pem" -nodes

Remember to add "-nodes" at the end to add in the private key information. You'll get a new file in your target directory called CiscoASACertBinaryPEM.pem. Open that file with notepad (or NotePad++, a great text editor for all kinds of stuff) and you'll see it all in clear-text. 

Good luck!

No comments:

Post a Comment