Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

Certificate Backup and Installation - Trustpoints

Labels:
48933
Views
40
Helpful
3
Comments
Jay Young
Cisco Employee
‎10-17-2010 07:20 AM
edited on: ‎10-17-2010 ‎07:20 AM


IOS and ASA use the same trustpoint model for storing certificates in the configuration.  A trustpoint just a container in which certificates are stored.  A trust point can hold up to two certificates.

  1. An identity certificate (a certificate that the router owns the corresponding private key)
  2. A certificate authority certificate (a certificate that is signed by  another party.  The router doesn't own the matching private key)

Once a certificate has been generated and installed into a device it is possible to export the whole certificate chain and private key pair for storage in a secure location.  It is important to backup up identity certificates in case of device failure.  In a case where you have control over the certificate authority it is trivial to issue another certificate but in cases where there are financial costs (i.e. a certificate issued from Verisign, Thawte, GoDaddy, etc) to reissue another certificate it may be beneficial to import the backed up certificate into the new device.

To backup a certificate via the command line do the following, where TrustPoint1 is the trust point name and cisco123 is the password used to encrypt the output:

--On ASA--

config t

ciscoASA(config)# crypto ca export TrustPoint1 pkcs12 cisco123

--On Router--

config t

ciscoIOS(config)# crypto pki export TrustPoint1 pkcs12 terminal cisco123

This will output a long text string.  That is a base64 encoded pkcs12.  A pkcs12 is a standardized container that carries the identity certificate, it's matching private key, and all the remaining certificates within the chain.  Below is an example of the output you should see

Exported pkcs12 follows:
-----BEGIN PKCS12-----
MIIKFwIBAzCCCdEGCSqGSIb3DQEHAaCCCcIEggm+MIIJujCCCbYGCSqGSIb3DQEH
BqCCCacwggmjAgEAMIIJnAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIdgIw

ZpGdYtcCAQGAgglwn6YErftJLeZK+OKgzJPD1sSMdvvAmdGJ1Z0/3sR1ZQ0vkgqj

...

<snip>

...

RiLdbl+HkrGPNJnPtborMYUHpVGeFhjFVpgkdUDFIIw7+nQnMSnmDkX5cpom9ysT
anHjapG5kfWpT8J6UrtRzd0TdeLRMWq/cRrnZzA9MCEwCQYFKw4DAhoFAAQUIQMB
iWtOj//C8WzhzLy4jG9gVU8EFDFlq1YFBUHuouUPFoZNhhnAhEUkAgIEAA==
-----END PKCS12-----

To import the certificate into the router/asa the process is reversed.

--On router--

config t

ciscoIOS(config)#crypto pki import TrustPoint2 pkcs12 terminal cisco123

<paste in the base64 encoded pkcs12>

quit

--On ASA--

config t

ciscoASA(config)# crypto ca import TrustPoint2 pkcs12 cisco123

<paste in the base64 encoded pkcs12>

quit

You can verify the installation by issuing the command "show crypto ca certificates"

NOTES:

RSA keys are stored in the flash in a hidden partition that can not be accessed. On IOS at time of RSA key generation the exportable keyword must be specified.  Otherwise the router will be unable to export the key, making the pkcs12 export fail.  ASA RSA keys are always exportable and do not have this limitation.

Comments
bern81
Beginner
Beginner
‎05-16-2018 04:58 AM
‎05-16-2018 04:58 AM

Hello Jay,

 

Great article.

Question: do i have to change the hostname of the new ASA where i imported the identity cert to make it match the CN attribute in the cert ?

 

mveedock
Cisco Employee
Cisco Employee
‎08-31-2018 11:17 AM
‎08-31-2018 11:17 AM

Hello Bern81,

 

You do 'not' need to change the hostname of the new ASA.  The hostname is not synced in any way with the ID certificate.  

 

To prevent an "untrusted certificate" warning (such as shown in a web browser) you need to make sure the CN value of the cert matches the FQDN (or IP address) that is entered into the browser.  

 

For example, if the cert contains "CN=123.cisco.com" then the user must enter exactly "https://123.cisco.com" in order to prevent an untrusted certificate warning.  Or if the cert contains "CN=192.168.1.1" then the browser must be exactly "CN=192.168.1.1"

 

In addition to the above, the local computer must have the issuer of the server's ID certificate trusted in the local user or machine store on the local computer.  This means having the issuing CA certificate as a trusted CA on the local computer.

 

Mike Veedock

bern81
Beginner
Beginner
‎10-22-2018 08:01 AM
‎10-22-2018 08:01 AM

Hello Mike,

 

Many thanks for your reply, now all is clear :).

 

 

Latest Contents
Anyconnect NAM disconnect network during auth
Created by peter.matuska1 on 02-28-2021 05:23 AM
0
0
0
0
Hi,we use EAP-TLS for machine and user auth. When certificates are installed, everything is fine. I am testing the scenario when the e.g. User certificate is not present. Anyconnect shows the warning that there is no certificate (dot1x fails) but network ... view more
ASA 5506 - no SSH possible
Created by Maurizio Caloro on 02-28-2021 02:02 AM
5
0
5
0
Hello TogetherPlease i will open for LAN "Inside" the SSH Port. try with this commands but no postive result appair "Connection redused"i know iam on the right way, please and thanks for any Update:asa(config)# crypto key generate rsa general-keys modulus... view more
FirePower FMC Audit logs are not showing policy changes
Created by meidanmeshulam on 02-28-2021 01:45 AM
1
0
1
0
Hi all !I'm capturing Audit logs from FMC using tcpdump, but unfortunately I do not see any access policy changes in the logs : \I do get other logs like saving the configs etc, but when I edit the policy and add/remove/edit a rule , I get nothing on the ... view more
4110 FTD 6.4 - Active Standby HA ISSUE with upraging FXOS to...
Created by b.sharifi on 02-27-2021 03:50 PM
1
0
1
0
I am about to uprade two FTD 4110 FXOS. The first upgrade has been succeced on the Secondary and then I tried do run the same steps on the primery FTD. I has been runing upgrade in more than 2 hours on the primery FTD now and I am soure that some thing is... view more
configure Cisco ESA C300V
Created by JeddGo80482 on 02-27-2021 12:58 PM
10
5
10
5
Hello Community I'm following the doc https://www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_appliances/Cisco_Content_Security_Virtual_Appliance_Install_Guide.pdf we have 3 interfaces for the virtual appliance. During c... view more
Content for Community-Ad