09-07-2018 08:54 AM - edited 02-21-2020 08:12 AM
I would like to remove the Default-RSA-Key from my HA ASA 5525-X with FirePower, as it was only created with 1024 bits, but I have a few questions...
Here are my current RSA keys:
asa/act# sh crypto key mypubkey rsa
Key pair was generated at: 08:10:21 EDT May 8 2018
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Storage: config
Key Data:
***
Key pair was generated at: 14:48:38 EDT Aug 24 2018
Key name: HSN_ASA
Usage: General Purpose Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***
Key pair was generated at: 14:57:49 EDT Aug 24 2018
Key name: HSN_ASA_ENC
Usage: Signature Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***
Key pair was generated at: 14:57:49 EDT Aug 24 2018
Key name: HSN_ASA_ENC
Usage: Encryption Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***
Key pair was generated at: 02:45:02 EDT Sep 6 2018
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Storage: config
Key Data:
***
Thanks in advance.
John
09-07-2018 10:31 AM - edited 09-07-2018 10:33 AM
Hi John,
Yes, using the command "crypto key zeroize rsa" will remove all keys. This affects keys marked "Storage: config" which yours are. You could use the command "crypto key zeroize rsa label XXXX" to delete a specfic key or "crypto key zerorize rsa default" for the default key.
Sorry I don't 100% know the answers to your other questions and don't have a lab to test, hopefully someone else can help you further.
HTH
09-11-2018 06:00 AM
Thanks for your reply.
So if I use the command crypto key zerorize rsa default to remove the defualt keys, I get the following warning...
WARNING: The default RSA key pair will be removed
WARNING: All device digital certificates issued using these keys will also be removed and
the associated trustpoints may not function correctly.
How can I check to see what certificates were issued with these keys so I can assess the impact to other services once the default keys are removed?
Thanks.
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: