Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8825
Views
5
Helpful
2
Replies

Questions - crypto key zeroize rsa

N3t W0rK3r
Level 3
Level 3

‎09-07-2018 08:54 AM - edited ‎02-21-2020 08:12 AM

I would like to remove the Default-RSA-Key from my HA ASA 5525-X with FirePower, as it was only created with 1024 bits, but I have a few questions...

 

  1. If I use the command "crypto key zeroize rsa" will all the keys get removed or just the default?  (I do not want to remove the other keys.)
  2. When I issue this command from within an SSH session, will my session get terminated?  If so, can this be done safely from the ASDM at all?
  3. We have an HA A/S pair, so will this change get replicated to the standby unit or do I need to manually run this command on the standby unit as well?
  4. Once the default key is removed, can the existing HSN_ASA key (see below) be used for SSH sessions?

Here are my current RSA keys:

 

asa/act# sh crypto key mypubkey rsa

 

Key pair was generated at: 08:10:21 EDT May 8 2018
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Storage: config
Key Data:
***

Key pair was generated at: 14:48:38 EDT Aug 24 2018
Key name: HSN_ASA
Usage: General Purpose Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***

Key pair was generated at: 14:57:49 EDT Aug 24 2018
Key name: HSN_ASA_ENC
Usage: Signature Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***

 

Key pair was generated at: 14:57:49 EDT Aug 24 2018
Key name: HSN_ASA_ENC
Usage: Encryption Key
Modulus Size (bits): 2048
Storage: config
Key Data:
***

 

Key pair was generated at: 02:45:02 EDT Sep 6 2018
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Storage: config
Key Data:
***

 

Thanks in advance.

 

John

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎09-07-2018 10:31 AM - edited ‎09-07-2018 10:33 AM

Hi John,

Yes, using the command "crypto key zeroize rsa" will remove all keys. This affects keys marked "Storage: config" which yours are. You could use the command "crypto key zeroize rsa label XXXX" to delete a specfic key or "crypto key zerorize rsa default" for the default key.

Sorry I don't 100% know the answers to your other questions and don't have a lab to test, hopefully someone else can help you further.

HTH

N3t W0rK3r
Level 3
Level 3
In response to Rob Ingram

‎09-11-2018 06:00 AM

Thanks for your reply.

 

So if I use the command crypto key zerorize rsa default to remove the defualt keys, I get the following warning...

 

WARNING: The default RSA key pair will be removed
WARNING: All device digital certificates issued using these keys will also be removed and
the associated trustpoints may not function correctly.

 

How can I check to see what certificates were issued with these keys so I can assess the impact to other services once the default keys are removed?

 

Thanks.

 

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card