===== Cisco ASA SSL Certificates =====
{{tag>Cisco ASA}}
Import SSL Certificate generated separate system with [[linux:openssl|OpenSSL]].
<file>
ASA# conf t

ASA(config)# crypto ca trustpoint 2016-09-23-ca.root.crt
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# exit
ASA(config)# crypto ca authenticate 2016-09-23-ca.root.crt
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MII
CA certificate chain
==
-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint:     12345678 90abcde f1234567 890acbde
Do you accept this certificate? [yes/no]: yes

Trustpoint '2016-09-23-ca.root.crt’ is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.

% Certificate successfully imported
ASA(config)# crypto ca trustpoint 2016-09-23-vpn.domain.tld.crt
ASA(config-ca-trustpoint)# enrollment terminal
ASA(config-ca-trustpoint)# exit
ASA(config)# crypto ca import 2016-09-23-vpn.domain.tld.crt pkcs12 PKCS12PASSWORD

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
MII
vpn.domain.tld certificate
==
quit
INFO: Import PKCS12 operation completed successfully
ASA(config)#
ASA(config)# ssl trust-point 2016-09-23-vpn.domain.tld.crt outside
ASA(config)# 
</file>

If you would like to renew an existing certificate without re-keying the certificate you will need to create a new CSR that uses the existing key and then use the new pending CSR to install the renewed certificate.  You will also need to obtain the renewed certificate from your certificate authority.