Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1953
Views
0
Helpful
3
Replies

PKI _SSL Certificate_ASA Firewlls_Private Key Information

Go to solution
NDP
Level 1
Level 1

‎05-17-2020 06:00 AM

recently uploaded a SSL  certificate(wildcard) on ASA Firewall issued by DigiCert. I got one SSL certificate , Intermediate CA and TrustedRoot certificate.

 

As far as I know, SSL certificate to function, Server ( in this case ASA) needs a private key to decrypt the data sent by client ( my laptop for ex). 

 

But, when I uploaded SSL certificate on to ASA Firewall, I didn't say any private key except the passphrase while importing it on ASA.

 

when browser hits "https://ASA IP"  address , browser would be given by SSL certificate which contains public Key. Browser now encrypts the ciphers information and symmetric key with public-key available in SSL certificate  and sends back to ASA FW IP.

 

How can ASA Firewall decrypts the message sent by broswer as I had never entered the private key . am I missing any point. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to NDP

‎05-18-2020 05:01 AM

It depends. some CAs allow the CSR generation using their tools. In those cases, the private key is retained for use cases just such as yours - to later distribute along with the certificate.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2020 07:13 AM

If the ASA certificate chain was given to you with a passphrase, that generally indicates the associated key is included in the bundle. When you installed it, the ASA saved it along with everything else.

Both the key and certificate are each just a couple hundred bytes so it's easy enough to bundle them together in a passphrase-protected file.

0 Helpful

Go to solution
NDP
Level 1
Level 1
In response to Marvin Rhoads

‎05-17-2020 08:46 AM

if that's the case, CA should be knowing private key as well right. with the normal process, Certificate signing request won't contain private-key. 

I didn't create CSR. So, I am confused. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to NDP

‎05-18-2020 05:01 AM

It depends. some CAs allow the CSR generation using their tools. In those cases, the private key is retained for use cases just such as yours - to later distribute along with the certificate.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card