Using Ansible To Manage Trust-Point Certificates In Cisco ASA

For some time now, I was looking for a way to Integrate Let’s Encrypt (LE) with My Cisco ASA, and use LE to issue the certificates for the VPN. And now Ansible is in a good place with it’s Network Modules to allow this without much of a problem.

I won’t go over the procedure of how I issue/renew the certificates, I will just mention that I use the DNS alias option, as I find it the most useful option, as it doesn’t require me to punch holes in my firewall to allow incoming connection to validate the requests.

My Playbook looks like this,

# see:
# -
# -

- name: Config CiscoASA
  hosts: CiscoASA
  connection: network_cli
  gather_facts: false
  become: true
  become_method: enable
    ansible_user: ansible
    ansible_password: "in line or use vault!"
    cert_file: "vpn.pfx"
    cert_pass: "in line or use vault!"
    config_file: "asa.conf"


    - name: Get Certificate
        cert: >
          {{ (lookup('file', cert_file) | b64encode | regex_replace('(.{1,510})', '\1|')).split('|') | list }}

    - name: Create A TrustPoint
          - crypto ca trustpoint SSL-Trustpoint-Ansible
          - enrollment terminal

    - name: Import A New Certificate Into The TrustPoint
        replace: block
        parents: "crypto ca import SSL-Trustpoint-Ansible pkcs12 {{ cert_pass }} nointeractive"
        lines: "{{ cert }}"
        - Set SSL Trust-Point


    - name: Set SSL Trust-Point
        save: true
          - ssl trust-point SSL-Trustpoint-Ansible inside
          - ssl trust-point SSL-Trustpoint-Ansible outside


You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *