Re: SSL Cert for VPN

jkay18041 · ‎06-14-2018

Few question, we have a asa 5516x that we got replaced due to the clock issue. I've got the licenses moved to the new one so that part is done. But my next question is if I take the SSD out of the old unit and put it in the new unit will the config move over or should I copy and paste the config from the old one to the new one via cmd line?

Either way of doing that will I need to create a new CSR and get a new SSL cert for the VPN as well?

Thank you

Marvin Rhoads · ‎06-14-2018

The configuration is saved on disk0 (internal flash memory), not the SSD. So you will have to restore the configuration from the old unit.

The SSL certificate can be backed up and transferred if you also move the private key but it's often easier to just create a new CSR and have your CA reissue a new certificate.

If you were using the Firepower service module you will have to reconfigure it on the new appliance and re-register and apply policies to it.

maniac79 · ‎06-15-2018

Thank you for the reply. I did a backup using ASDM then copied the zip file to the new ASA using the ASDM restore feature. It shows the certificates, would it of got the private key as well do you think or anyway to check before I put this in production?

Thank you for the help!

Marvin Rhoads · ‎06-15-2018

If you did a full backup it would include the identity certificate and associated preshared key munged into a PKCS12 file.

You can restore it to the target appliance and connect to it directly using an Ethernet cable from your computer to the outside interface. Manually set your address to be the ASA's outside gateway address and create a host file entry for the VPN portal (e.g. the ASA outside address). Browse to the portal and make sure you don't get any certificate warnings.