topic Re: Questions - crypto key zeroize rsa in Network Security

Questions - crypto key zeroize rsa

N3t W0rK3r — Fri, 21 Feb 2020 16:12:43 GMT

I would like to remove the Default-RSA-Key from my HA ASA 5525-X with FirePower, as it was only created with 1024 bits, but I have a few questions...

If I use the command "crypto key zeroize rsa" will all the keys get removed or just the default? (I do not want to remove the other keys.)
When I issue this command from within an SSH session, will my session get terminated? If so, can this be done safely from the ASDM at all?
We have an HA A/S pair, so will this change get replicated to the standby unit or do I need to manually run this command on the standby unit as well?
Once the default key is removed, can the existing HSN_ASA key (see below) be used for SSH sessions?

Here are my current RSA keys:

asa/act# sh crypto key mypubkey rsa

Key pair was generated at: 08:10:21 EDT May 8 2018
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Storage: config
Key Data:
***

Key pair was generated at: 14:48:38 EDT Aug 24 2018
Key name: HSN_ASA
Usage: General Purpose Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***

Key pair was generated at: 14:57:49 EDT Aug 24 2018
Key name: HSN_ASA_ENC
Usage: Signature Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***

Key pair was generated at: 14:57:49 EDT Aug 24 2018
Key name: HSN_ASA_ENC
Usage: Encryption Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***

Key pair was generated at: 02:45:02 EDT Sep 6 2018
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Storage: config
Key Data:
***

Thanks in advance.

John

Re: Questions - crypto key zeroize rsa

Rob Ingram — Fri, 07 Sep 2018 17:33:55 GMT

Hi John,

Yes, using the command "crypto key zeroize rsa" will remove all keys. This affects keys marked "Storage: config" which yours are. You could use the command "crypto key zeroize rsa label XXXX" to delete a specfic key or "crypto key zerorize rsa default" for the default key.

Sorry I don't 100% know the answers to your other questions and don't have a lab to test, hopefully someone else can help you further.

HTH

Re: Questions - crypto key zeroize rsa

N3t W0rK3r — Tue, 11 Sep 2018 13:00:21 GMT

Thanks for your reply.

So if I use the command crypto key zerorize rsa default to remove the defualt keys, I get the following warning...

WARNING: The default RSA key pair will be removed
WARNING: All device digital certificates issued using these keys will also be removed and
the associated trustpoints may not function correctly.

How can I check to see what certificates were issued with these keys so I can assess the impact to other services once the default keys are removed?

Thanks.

John