Cisco Community
English
Register
Cisco Community Events are getting a new name! LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

Certificate Backup and Installation - Trustpoints

Labels:
45653
Views
40
Helpful
3
Comments
Jay Young
Jay Young Cisco Employee
‎10-17-2010 07:20 AM
edited on: ‎10-17-2010 ‎07:20 AM


IOS and ASA use the same trustpoint model for storing certificates in the configuration.  A trustpoint just a container in which certificates are stored.  A trust point can hold up to two certificates.

  1. An identity certificate (a certificate that the router owns the corresponding private key)
  2. A certificate authority certificate (a certificate that is signed by  another party.  The router doesn't own the matching private key)

Once a certificate has been generated and installed into a device it is possible to export the whole certificate chain and private key pair for storage in a secure location.  It is important to backup up identity certificates in case of device failure.  In a case where you have control over the certificate authority it is trivial to issue another certificate but in cases where there are financial costs (i.e. a certificate issued from Verisign, Thawte, GoDaddy, etc) to reissue another certificate it may be beneficial to import the backed up certificate into the new device.

To backup a certificate via the command line do the following, where TrustPoint1 is the trust point name and cisco123 is the password used to encrypt the output:

--On ASA--

config t

ciscoASA(config)# crypto ca export TrustPoint1 pkcs12 cisco123

--On Router--

config t

ciscoIOS(config)# crypto pki export TrustPoint1 pkcs12 terminal cisco123

This will output a long text string.  That is a base64 encoded pkcs12.  A pkcs12 is a standardized container that carries the identity certificate, it's matching private key, and all the remaining certificates within the chain.  Below is an example of the output you should see

Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIKFwIBAzCCCdEGCSqGSIb3DQEHAaCCCcIEggm+MIIJujCCCbYGCSqGSIb3DQEH
BqCCCacwggmjAgEAMIIJnAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIdgIw

ZpGdYtcCAQGAgglwn6YErftJLeZK+OKgzJPD1sSMdvvAmdGJ1Z0/3sR1ZQ0vkgqj

...

<snip>

...

RiLdbl+HkrGPNJnPtborMYUHpVGeFhjFVpgkdUDFIIw7+nQnMSnmDkX5cpom9ysT
anHjapG5kfWpT8J6UrtRzd0TdeLRMWq/cRrnZzA9MCEwCQYFKw4DAhoFAAQUIQMB
iWtOj//C8WzhzLy4jG9gVU8EFDFlq1YFBUHuouUPFoZNhhnAhEUkAgIEAA==
-----END PKCS12-----

To import the certificate into the router/asa the process is reversed.

--On router--

config t

ciscoIOS(config)#crypto pki import TrustPoint2 pkcs12 terminal cisco123

<paste in the base64 encoded pkcs12>

quit

--On ASA--

config t

ciscoASA(config)# crypto ca import TrustPoint2 pkcs12 cisco123

<paste in the base64 encoded pkcs12>

quit

You can verify the installation by issuing the command "show crypto ca certificates"

NOTES:

RSA keys are stored in the flash in a hidden partition that can not be accessed. On IOS at time of RSA key generation the exportable keyword must be specified.  Otherwise the router will be unable to export the key, making the pkcs12 export fail.  ASA RSA keys are always exportable and do not have this limitation.

Comments
bern81
bern81 Beginner
Beginner
‎05-16-2018 04:58 AM
‎05-16-2018 04:58 AM

Hello Jay,

 

Great article.

Question: do i have to change the hostname of the new ASA where i imported the identity cert to make it match the CN attribute in the cert ?

 

mveedock
mveedock Cisco Employee
Cisco Employee
‎08-31-2018 11:17 AM
‎08-31-2018 11:17 AM

Hello Bern81,

 

You do 'not' need to change the hostname of the new ASA.  The hostname is not synced in any way with the ID certificate.  

 

To prevent an "untrusted certificate" warning (such as shown in a web browser) you need to make sure the CN value of the cert matches the FQDN (or IP address) that is entered into the browser.  

 

For example, if the cert contains "CN=123.cisco.com" then the user must enter exactly "https://123.cisco.com" in order to prevent an untrusted certificate warning.  Or if the cert contains "CN=192.168.1.1" then the browser must be exactly "CN=192.168.1.1"

 

In addition to the above, the local computer must have the issuer of the server's ID certificate trusted in the local user or machine store on the local computer.  This means having the issuing CA certificate as a trusted CA on the local computer.

 

Mike Veedock

bern81
bern81 Beginner
Beginner
‎10-22-2018 08:01 AM
‎10-22-2018 08:01 AM

Hello Mike,

 

Many thanks for your reply, now all is clear :).

 

 

Latest Contents
Object-Group NAT Dynamic PAT
Created by mumbles202 on 09-17-2019 01:55 PM
0
0
0
0
Is there any issue w/ the following configuration:object-group network obj_myinternal_ips  network-object host 172.16.23.20  network-objecthost 172.16.23.100 object network obj_myexternal   network-object host 192.168.23.200 ... view more
Cisco ASA 5505 Migration to FTD Firepower Device Manager
Created by IamSamSaul on 09-17-2019 01:38 PM
0
0
0
0
Hi there, I want to migrate Cisco ASA 5505 to Cisco FTD with Firepower Device Manager (FDM). I know that you can use Cisco's Migration Tool if you are migrating to Cisco FTD with Firepower Management Center (FMC). Is there any "easy" way to migr... view more
Unable to ping to ASA outside interface
Created by suresh.nr3171 on 09-17-2019 10:59 AM
1
0
1
0
Hi all, Below in the configuration in ASA0, still unable to ping to outside interface gi/2, pls help interface GigabitEthernet1/1nameif insidesecurity-level 0ip address 192.168.1.1 255.255.255.0!interface GigabitEthernet1/2nameif outsidesecurity... view more
Cisco ISE config backup stuck
Created by bmak on 09-17-2019 10:20 AM
1
0
1
0
Hi, I am trying to take a configuration back-up on my Primary Admin Node.I see that the backup generation is stuck on 10%, it has been this way for about 5 days now.The ise node is still operating without any issues. I have tried to stop the bac... view more
Query regarding FPR2110-ASA-K9
Created by Netplace Support on 09-17-2019 10:20 AM
1
0
1
0
Hi All,My company has purchased Firepower 2100 series firewall with ASA image 9.10.1. My query is related to CLI and GUI. Is it the CLI Commands and GUI steps/view will be same as normal ASA and manage by ASDM. Any help will be appreciated
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
August's Community Spotlight Awards