How to Fix “OpenSSL ASN1_CHECK_TLEN:wrong tag” Error When Extracting Certificates from Cisco ASA PKCS12 Files


2 views

When working with Cisco ASA firewalls (particularly 55xx series), you might encounter this frustrating OpenSSL error when trying to extract certificates from PKCS12 files:

error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12

The root cause typically stems from how Cisco ASA handles PKCS12 exports. The firewall adds some proprietary formatting that OpenSSL doesn't recognize as valid ASN.1 encoding. Here's what I've found through troubleshooting multiple ASA devices:

  1. The exported file might contain invisible characters or improper line endings
  2. The ASA sometimes includes non-standard headers in the PKCS12 structure
  3. Certain ASA firmware versions produce malformed exports

Try this reliable method that has worked across multiple ASA models (5510, 5520, 5540):

# First verify the file contains data
file cisco-vpn.pkcs12
head -n 5 cisco-vpn.pkcs12

# Clean the file if needed (remove empty lines, headers)
sed -i '/^$/d' cisco-vpn.pkcs12
sed -i '1d' cisco-vpn.pkcs12  # Remove first line if it's a header

# Extract private key (will prompt for export password)
openssl pkcs12 -in cisco-vpn.pkcs12 -nocerts -out privateKey.pem

# For systems requiring unencrypted keys (like Zimbra):
openssl rsa -in privateKey.pem -out key_no_pass.txt

If the above fails, try these methods:

Method 1: ASDM Export
Sometimes the GUI export works better than CLI:

  1. Navigate to Configuration > Remote Access VPN > Certificate Management
  2. Select your certificate and choose "Export"
  3. Use PKCS12 format with password protection

Method 2: Certificate Chain Reconstruction
If you can't extract directly, rebuild from components:

# First get the certificate
openssl pkcs12 -in cisco-vpn.pkcs12 -clcerts -nokeys -out cert.pem

# Then extract CA certificates
openssl pkcs12 -in cisco-vpn.pkcs12 -cacerts -nokeys -out ca.pem

# Finally extract the key (may still require cleaning)
openssl pkcs12 -in cisco-vpn.pkcs12 -nocerts -out key.pem
  • Always back up your original PKCS12 file before manipulation
  • ASA firmware versions 8.4+ tend to have better PKCS12 export reliability
  • For Zimbra compatibility, you'll need to remove the password as shown above
  • Consider using base64 -d if your export appears to be base64-encoded

When working with Cisco ASA firewalls (particularly older models like ASA 5510), you might encounter ASN1 parsing errors when trying to extract certificates using OpenSSL. Here's what typically happens:

# Original export command on ASA
crypto ca export MYTRUSTSTORE pkcs12 MYPASSWORD

# Common OpenSSL error when parsing
139708630054816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
139708630054816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12

The issue typically stems from one of these factors:

  • The PKCS12 file contains extraneous data (like empty lines or CLI output artifacts)
  • The file encoding got corrupted during transfer
  • The ASA's PKCS12 implementation has compatibility quirks with modern OpenSSL

Here's the step-by-step solution that has worked across multiple ASA models:

# 1. First verify the file isn't corrupted
file cisco-vpn.pkcs12.bin

# 2. Convert line endings if needed (especially if transferred via FTP)
dos2unix cisco-vpn.pkcs12.bin

# 3. Extract private key (will prompt for export password)
openssl pkcs12 -in cisco-vpn.pkcs12.bin -nocerts -out privateKey.pem

# 4. Remove password if needed (for Zimbra compatibility shown in OP)
openssl rsa -in privateKey.pem -out key_no_pass.txt

# 5. Extract certificate
openssl pkcs12 -in cisco-vpn.pkcs12.bin -clcerts -nokeys -out cert.pem

For particularly stubborn cases, try these additional steps:

# Inspect raw ASN1 structure
openssl asn1parse -in cisco-vpn.pkcs12.bin -inform DER -i

# Alternative extraction method
openssl pkcs12 -in cisco-vpn.pkcs12.bin -nodes -nocerts -out key.pem 2>/dev/null

Remember that newer versions of OpenSSL (1.1.1+) have stricter parsing than older versions. If possible, test with different OpenSSL versions.

When automating this process:

  • Always verify the extracted key/cert pair matches what's on the ASA
  • Consider using expect scripts to handle password prompts
  • For high-security environments, avoid removing private key passwords