Solved: "show crypto ca certificate"

tiki_turtle · ‎03-08-2016

I cannot find the self signed certificate via CLI on my ASA. How can I see it and possibly update it. Is this done strictly through ASDM?

FW# sh ssl
Accept connections using TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: aes128-sha1 aes256-sha1
Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

FW# sh crypto ca server

ERROR: Cannot find Certificate Server

FW# sh crypto key mypubkey rsa
Key pair was generated at: 10:32:10 GMT Mar 7 2016
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:

Dinesh Moudgil · ‎03-08-2016

Did you configure one certificate by yourself. In that case it should have been there.
If you do not see any trustpoint config in the output of "show run | in crypto" then there might not be any certificate configured manually.

I'd like to inform you that ASA randomly generates a self-signed certificate after each reboot and uses it in SSL communication if you do not configure one by yourself. This is not part of the configuration though but if you https into the ASA , it shows that certificate error and states that it is not trusted since it is self-signed.

Looks like you dont have any trustpoint configured as in the above command output:
No SSL trust-points configured

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎03-08-2016

"show crypto ca certificate" shall address your query.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

tiki_turtle · ‎03-08-2016

Thanks Dinesh,

The output of the command shows nothing. I don't get how one could exist if I cannot see it on the CLI...but yet one can be seen when https://firewall_IP

FW# sh crypto ca certificates
FW#

Dinesh Moudgil · ‎03-08-2016

Did you configure one certificate by yourself. In that case it should have been there.
If you do not see any trustpoint config in the output of "show run | in crypto" then there might not be any certificate configured manually.

I'd like to inform you that ASA randomly generates a self-signed certificate after each reboot and uses it in SSL communication if you do not configure one by yourself. This is not part of the configuration though but if you https into the ASA , it shows that certificate error and states that it is not trusted since it is self-signed.

Looks like you dont have any trustpoint configured as in the above command output:
No SSL trust-points configured

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

tiki_turtle · ‎03-08-2016

Thanks Dinesh - I will look a the documentation

Dinesh Moudgil · ‎03-08-2016

Here is a document for how to configure self signed ID cert

https://supportforums.cisco.com/document/44116/asa-self-signed-certificate-webvpn

http://www.cisco.com/c/en/us/td/docs/security/asdm/identity-cert/cert-install.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

SSL certificate on ASA - How can I see it and update it via CLI?