Lots of internet pages explain how to install certificates on the ASA using the ASDM, but it can all be done just as easily using the CLI. Here are the steps to install a new certificate generated off-box.  A typical scenario would be that the old certificate is expiring and a new one needs to be added in it’s place.

1. Create a new trustpoint called New_Cert:

cry ca trustpoint New_Cert

2. Add a new certificate and private key at that trustpoint.

The easiest way to add the certificate and key is to create a pkcs12 bundle and add them at the same time.

The file cert and key need to be in PEM format, and the bundle should be passphrase protected.  Check this link for steps to create the bundle using openssl.

Add the file using this command:

crypto ca import New_Cert pkcs12 passphrase

This command is interactive. In this case, the string ‘passphrase’ is the actual phrase passed into crypto to unlock the pkcs/key files. When prompted, paste in the pkcs file encoded in Base64 format.  End the input by typing ‘quit’ followed by Enter on a new line.

Openssl can also be used to generate the Base64 encoding. Check this link for details.

Once it’s been added successfully, you can confirm it with the command:

sh cry ca cert New_Cert

The output should include “Status: Available” as well as details of the certificate in the pkcs12 file matching that trustpoint.

3. Change the ASA config to use it.

On an existing firewall with AnyConnect configured you’d issue these commands, replacing whatever was there previously:

ssl trust-point New_Cert inside
ssl trust-point New_Cert inside vpnlb-ip
ssl trust-point New_Cert outside vpnlb-ip
ssl trust-point New_Cert outside