Import SSL Certificate generated separate system with OpenSSL.
ASA# conf t ASA(config)# crypto ca trustpoint 2016-09-23-ca.root.crt ASA(config-ca-trustpoint)# enrollment terminal ASA(config-ca-trustpoint)# exit ASA(config)# crypto ca authenticate 2016-09-23-ca.root.crt Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MII CA certificate chain == -----END CERTIFICATE----- quit INFO: Certificate has the following attributes: Fingerprint: 12345678 90abcde f1234567 890acbde Do you accept this certificate? [yes/no]: yes Trustpoint '2016-09-23-ca.root.crt’ is a subordinate CA and holds a non self-signed certificate. Trustpoint CA certificate accepted. % Certificate successfully imported ASA(config)# crypto ca trustpoint 2016-09-23-vpn.domain.tld.crt ASA(config-ca-trustpoint)# enrollment terminal ASA(config-ca-trustpoint)# exit ASA(config)# crypto ca import 2016-09-23-vpn.domain.tld.crt pkcs12 PKCS12PASSWORD Enter the base 64 encoded pkcs12. End with the word "quit" on a line by itself: MII vpn.domain.tld certificate == quit INFO: Import PKCS12 operation completed successfully ASA(config)# ASA(config)# ssl trust-point 2016-09-23-vpn.domain.tld.crt outside ASA(config)#
If you would like to renew an existing certificate without re-keying the certificate you will need to create a new CSR that uses the existing key and then use the new pending CSR to install the renewed certificate. You will also need to obtain the renewed certificate from your certificate authority.