ASA 5512 Certificate and Trustpoints Question

aaron-rousch · ‎02-12-2025

Good Day

I have a Cisco 5512-X Firewall with an expiring Identity Certificate that I already plan on getting Re-keyed by the CA Authority (Go-Daddy)

i have already made a plan to create a new Trust point and have it pending so when the new CSR gets re-keyed I will install it immediately.

Do I have to get a new CA Certificate as well?

its from Go-Daddy and it's not getting changed anytime soon, as the CA Certificate doesn't expire until 2031, while the Identity Certificate will expire near the end of this month.

Thank you for your time and assistance as always.

JP Miranda Z · ‎02-12-2025

Hi aaron-rousch,

Usually you don't really need to install the CA again unless you are changing the Certificate Authority from GD to anything else or GD CA cert is expired.

You can download the certificate from GoDaddy and look at the chain just to make sure the CA certificate is the same, for example if you open the .crt you should see something like this:

If you double click on the CA you should be able to see the Serial number in the Details to compare with the one on your ASA by running the command show cry ca certificates:

Hope this helps!

-JP-

aaron-rousch · ‎02-13-2025

Thank you, JP, that is very helpful, so getting the Identity Certificate Re-Keyed is all I would have to do in this scenario. I don't have to touch the CA Certificate?

Once i get the Identity Certificate re-keyed and uploaded will the new Trust point i created become associated with the CA Certificate automatically? or will i have to manually associate with the CA Certificate?, i am following this guide for the process.

Install and Renew Certificates on ASA Managed by ASDM - Cisco