https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893345#M162957 <P>Did you configure one certificate by <G class="gr_ gr_14 gr-alert gr_gramm undefined Punctuation multiReplace" id="14" data-gr-id="14">yourself.</G> <G class="gr_ gr_13 gr-alert gr_gramm undefined Punctuation multiReplace" id="13" data-gr-id="13">In that case</G> it should have been there.<BR />If you do not see any <G class="gr_ gr_16 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="16" data-gr-id="16">trustpoint</G> config in the output of "show run | in crypto" then there might not be any certificate configured manually.<BR /><BR />I'd like to inform you that ASA randomly generates a self-signed certificate after each reboot and uses it in SSL communication if you do not configure one by yourself. This is not part of the configuration though but if you https into the <G class="gr_ gr_19 gr-alert gr_gramm undefined Punctuation multiReplace" id="19" data-gr-id="19">ASA ,</G> it shows that certificate error and states that it is not trusted since it is self-signed.</P> <P>Looks like you <G class="gr_ gr_35 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="35" data-gr-id="35">dont</G> have any <G class="gr_ gr_63 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="63" data-gr-id="63">trustpoint</G> configured as in the above command output:<BR /><EM><STRONG>No SSL trust-points configured</STRONG></EM></P> <P>Regards,<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.</P> Tue, 08 Mar 2016 17:15:58 GMT Dinesh Moudgil 2016-03-08T17:15:58Z https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893341#M162917 <P>I cannot find the self signed certificate via CLI on my ASA. How can I see it and possibly update it. Is this done strictly through ASDM?</P> <P></P> <P>FW# sh ssl<BR />Accept connections using TLSv1 and negotiate to TLSv1<BR />Start connections using TLSv1 and negotiate to TLSv1<BR />Enabled cipher order: aes128-sha1 aes256-sha1<BR />Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 null-sha1<BR />No SSL trust-points configured<BR />Certificate authentication is not enabled</P> <P></P> <P>FW# sh crypto ca server</P> <P>ERROR: Cannot find Certificate Server</P> <P></P> <P>FW# sh crypto key mypubkey rsa<BR />Key pair was generated at: 10:32:10 GMT Mar 7 2016<BR />Key name: &lt;Default-RSA-Key&gt;<BR />Usage: General Purpose Key<BR />Modulus Size (bits): 2048<BR />Key Data:</P> Tue, 12 Mar 2019 07:27:20 GMT https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893341#M162917 tiki_turtle 2019-03-12T07:27:20Z https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893342#M162931 <P>"show crypto ca certificate" shall address your query.</P> <P>Regards,<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.</P> Tue, 08 Mar 2016 16:44:30 GMT https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893342#M162931 Dinesh Moudgil 2016-03-08T16:44:30Z https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893343#M162942 <P>Here is a document for how to configure self signed ID cert</P> <P>https://supportforums.cisco.com/document/44116/asa-self-signed-certificate-webvpn</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html</P> <P>Regards,<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.</P> Tue, 08 Mar 2016 16:46:03 GMT https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893343#M162942 Dinesh Moudgil 2016-03-08T16:46:03Z https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893344#M162952 <P>Thanks Dinesh,</P> <P>The output of the command shows nothing. I don't get how one could exist if I cannot see it on the CLI...but yet one can be seen when https://firewall_IP</P> <P></P> <P>FW# sh crypto ca certificates<BR />FW#</P> Tue, 08 Mar 2016 17:08:48 GMT https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893344#M162952 tiki_turtle 2016-03-08T17:08:48Z https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893345#M162957 <P>Did you configure one certificate by <G class="gr_ gr_14 gr-alert gr_gramm undefined Punctuation multiReplace" id="14" data-gr-id="14">yourself.</G> <G class="gr_ gr_13 gr-alert gr_gramm undefined Punctuation multiReplace" id="13" data-gr-id="13">In that case</G> it should have been there.<BR />If you do not see any <G class="gr_ gr_16 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="16" data-gr-id="16">trustpoint</G> config in the output of "show run | in crypto" then there might not be any certificate configured manually.<BR /><BR />I'd like to inform you that ASA randomly generates a self-signed certificate after each reboot and uses it in SSL communication if you do not configure one by yourself. This is not part of the configuration though but if you https into the <G class="gr_ gr_19 gr-alert gr_gramm undefined Punctuation multiReplace" id="19" data-gr-id="19">ASA ,</G> it shows that certificate error and states that it is not trusted since it is self-signed.</P> <P>Looks like you <G class="gr_ gr_35 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="35" data-gr-id="35">dont</G> have any <G class="gr_ gr_63 gr-alert gr_spell undefined ContextualSpelling ins-del multiReplace" id="63" data-gr-id="63">trustpoint</G> configured as in the above command output:<BR /><EM><STRONG>No SSL trust-points configured</STRONG></EM></P> <P>Regards,<BR />Dinesh Moudgil</P> <P>P.S. Please rate helpful posts.</P> Tue, 08 Mar 2016 17:15:58 GMT https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893345#M162957 Dinesh Moudgil 2016-03-08T17:15:58Z https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893346#M162966 <P>Thanks Dinesh - I will &nbsp;look a the documentation&nbsp;</P> Tue, 08 Mar 2016 18:15:48 GMT https://community.cisco.com/t5/network-security/ssl-certificate-on-asa-how-can-i-see-it-and-update-it-via-cli/m-p/2893346#M162966 tiki_turtle 2016-03-08T18:15:48Z