Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
4
Replies

Export Identity cert from FirePower to ASA

Najib Akbari
Level 1
Level 1

‎10-01-2024 08:39 AM

Hi,

I use ASDM and export Identity cert + PKey from Firepower 2310 ( ASA mode ) and when I import it to ASA 5512 it gives error:

NajibAkbari_0-1727796820972.png

FP ASA version : 9.18(4)22

ASA 5512 version: 9.12(4)37 

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎10-01-2024 08:49 AM

@Najib Akbari if the export was completed successfully, perhaps there is a discrepancy between the newer and older ASA versions that prevents it being imported successfully.

Import the file from the CLI on the 5512 using the command "crypto ca import <trustpoint> pkcs12 <passphrase> " - if that fails enable crypto debugging, try again and provide the debug output. If the error on the CLI is more descriptive than the ASDM GUI, provide that error too.

 

0 Helpful

Najib Akbari
Level 1
Level 1
In response to Rob Ingram

‎10-01-2024 01:47 PM

I did and failed again and here is the log i see with"debug crypto ca transactions" and "debug crypto ca mess 255":

CRYPTO_PKI: certificate contains 10 extensions.
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 01
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 15 02
CRYPTO_PKI: certificate contains extension OID:
55 1d 0e
CRYPTO_PKI: certificate contains extension OID:
55 1d 20
CRYPTO_PKI: certificate contains extension OID:
2b 06 01 04 01 82 37 14 02
CRYPTO_PKI: certificate contains extension OID:
55 1d 0f
CRYPTO_PKI: certificate contains extension OID:
55 1d 13
CRYPTO_PKI: certificate contains extension OID:
55 1d 23
CRYPTO_PKI: certificate contains extension OID:
55 1d 1f
CRYPTO_PKI: certificate contains extension OID:

0 Helpful

ahollifield
VIP
VIP

‎10-02-2024 06:31 AM

Why do you want to do this?  Why not just re-issue/re-key the certificate?  Also why ASA and not FTD?

0 Helpful

Najib Akbari
Level 1
Level 1
In response to ahollifield

‎10-15-2024 11:36 AM

the cert is already active on 2X FP ASA and if I re-issue then I have to do it on all devices. also for the second part if you mean why not using FirePower as FTD then the answer is this is an old ASA 5500 and not firepower and I use it for LAB.

we have Firepowers we particularly using as ASA VPN anyconnect and I am not familiar with FTD if that mode is also can support VPN and be as reliable as ASA mode ..... 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card