https://community.cisco.com/t5/network-security/vpn3000-with-certificate-backup/m-p/81597#M1062954 <P>Hi there,</P><P></P><P>can somebody tell me if it´s possible to backup a vpn3000 config and its certificate/generated keys in case of hardware failure. If not i have to generate new keys, get a new certificate and tell this all my clients, routers, firewalls ? (which sounds horrible!).</P><P>Regards,</P><P>Thomas</P> Fri, 21 Feb 2020 06:17:29 GMT tschlottke 2020-02-21T06:17:29Z https://community.cisco.com/t5/network-security/vpn3000-with-certificate-backup/m-p/81597#M1062954 <P>Hi there,</P><P></P><P>can somebody tell me if it´s possible to backup a vpn3000 config and its certificate/generated keys in case of hardware failure. If not i have to generate new keys, get a new certificate and tell this all my clients, routers, firewalls ? (which sounds horrible!).</P><P>Regards,</P><P>Thomas</P> Fri, 21 Feb 2020 06:17:29 GMT https://community.cisco.com/t5/network-security/vpn3000-with-certificate-backup/m-p/81597#M1062954 tschlottke 2020-02-21T06:17:29Z https://community.cisco.com/t5/network-security/vpn3000-with-certificate-backup/m-p/81598#M1062955 <HTML><HEAD></HEAD><BODY><P>Correct me if I am wrong but I think it is not possible to backup the private key generated by the failure hardware, be it VPN3000, routers or PIXes. Because it is always hidden and can`t be viewed from the menu or console. I don`t see any menu on the VPN3000, to backup its own private key. Even if you have the VPN3000`s certificate, seems like it is not possible to restore it. So, the new hardware replacing the failure one has to genereate a new private key and get a public key certified by its trusted root CA. One doesn`t need to announce this new certificate to all clients of the new hardware (routers, firewalls). If there is a need to create a VPN tunnel between the new hardware and the other side, the two VPN devices will authenticate themself using the certificates. If the peer`s certificate issued by its trusted CA, then the device will trust the certifcate (and vice-versa) and continue to the next phase of negotiation. </P><P></P><P>Regards,</P></BODY></HTML> Wed, 09 Oct 2002 07:05:20 GMT https://community.cisco.com/t5/network-security/vpn3000-with-certificate-backup/m-p/81598#M1062955 engel 2002-10-09T07:05:20Z https://community.cisco.com/t5/network-security/vpn3000-with-certificate-backup/m-p/81599#M1062957 <HTML><HEAD></HEAD><BODY><P>Hello Thomas,</P><P></P><P>It is possible to manually backup the certificates with private keys from the VPN3k web-interface.</P><P></P><P>1. Log into the web-administration</P><P>2. Navigate to Administration-&gt;Certificate Management</P><P>3. Select Export for the certificate you wish to backup.</P><P>4. The VPN3k will request a password to encrypt the prifvate RSA key.</P><P>5. When you enter the password and click export the certificate and key will be saved as CERTEXP.TXT on the VPN3K flash and it will try to popup a window showing the data.&nbsp; Copy this data and store it somewhere, remember the key</P><P></P><P>That exported certificate can be imported to the VPN3k Via the Certificate Management-&gt;Installation section using the Import SSL certificate with private key link.</P><P></P><P>The export/import format that the VPN3k uses is not a standard PKCS12, it is a PKCS8 encrypted private key in Base64 with the X509 certificate in base64 encoding.</P><P></P><P>I don't think the XML Export option gives you the certificates, so to have a full backup you would need both items.</P><P></P><P>I hope this helps,<BR />Craig</P></BODY></HTML> Fri, 17 Dec 2010 22:21:13 GMT https://community.cisco.com/t5/network-security/vpn3000-with-certificate-backup/m-p/81599#M1062957 Craig Lorentzen 2010-12-17T22:21:13Z