Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5276
Views
0
Helpful
3
Replies

Backup & Restore keys

Gordon Ross
Level 9
Level 9

‎06-26-2011 02:33 PM - edited ‎03-11-2019 01:50 PM

How do you backup & restore the crypto keys on an ASA ?

GTG

Please rate all helpful posts.
Labels:
0 Helpful
3 Replies 3

Allen P Chen
Level 5
Level 5

‎06-26-2011 03:48 PM

Hello,

You can use the "crypto ca export/import" commands to export and restore crypto keys.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2224326

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2224488

Hope this helps.

0 Helpful

Gordon Ross
Level 9
Level 9
In response to Allen P Chen

‎06-26-2011 09:57 PM

asa1# sh crypto key mypubkey rsa

Key name: blah

Usage: General Purpose Key

Modulus Size (bits): 2048

Key Data:

.....

asa1#conf t

asa1(config)# crypto ca export blah identity-certificate

ERROR: The trustpoint does not exist

:-(

Please rate all helpful posts.
0 Helpful

Allen P Chen
Level 5
Level 5
In response to Gordon Ross

‎06-27-2011 10:37 AM

Hello,

I apologize for the confusion, I thought your keys were associated with a trustpoint already.  On the ASA, you will not be able to keys directly.  You will need to put your rsa key into a trustpoint first.  You can then export the certificates + key in a pkcs12 and then extract the key from it using something like openssl.

For example, I have created a key on my ASA called testkey and have exported it below:

GENERTATING KEY...

asa(config)#  crypto key generate rsa label testkey mod 1024

MAKING DUMMY TRUSTPOINT...

asa(config)#  crypto ca trust dummy

asa(config-ca-trustpoint)# keypair testkey

EXPORTING KEY...

asa(config)# crypto ca export dummy pkcs12 cisco123

WARNING: Temporary self-signed certificate is being generated to export the keypair since an associated ID certificate is not available.

Hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card