CSS rsacert.pem file lost password

paul.pearston · ‎01-06-2006

Hi,

I know this is a long shot, however:

I have a pair of CSS’s in an active/standby VRRP cluster. Both CSS switches have identical configurations with the exception of a VeriSign certificate which is only loaded on the master CSS. I’m trying to import the VeriSign certificate to the second CSS to provide full resilience; the trouble is that I don’t have the password to the RSA certificate key on the master CSS.

Here are some show outputs that perhaps explain this better:

CSS11501# sh ssl ass

Certificate Name File Name Used by List

---------------- --------- ------------

clientrsacert clientrsacert.txt yes

clientrsakey clientcert.txt no

RSA Key Name File Name Used by List

------------ --------- ------------

clientrsakey client.pem yes

DH Param Name File Name Used by List

------------- --------- ------------

DSA Key Name File Name Used by List

------------ --------- ------------

I have the password for the clientrsacert file which contains the signed certificate, however, I don’t have the password for the RSA key file, therefore, cannot transfer this to the other CSS. I’m assuming that the RSA key pair used to generate the CSR is required?

Any advice on what I should do next would be greatly appreciated?

TIA,

Paul

pgolding · ‎01-11-2006

Paul,

As the Americans say, "you are hosed". If the original key was generated on the CSS and the hashing password is lost, there is no way to get the key. The solution is to generate a new keypair and CSR, have your CA sign the new CSR, then import the new cert to each CSS. You can also export the new keypair from one and import to the other, as you will know the passphrase used for this key.

Peter