Hi!I have the same problem

Boon Keat Gan · ‎12-17-2012

Hi Guys,

We currently setup an Active/Standby ASA Firewall and with SSL VPN enabled. We found that the Certificate does not sync to standby unit. However, I manually import the CA certificate into Standby unit and somehow it will dissapear after sometime.

I understand that we need to do some Export and Import CA Certificates on ASA to make both have identical setting.

I tried the following command:-

crypto ca export trustpoint

Example:

hostname(config)# crypto ca export Main

crypto ca import trustpoint pkcs12

Example:

hostname(config)# crypto ca import Main pkcs12

But failed to export out the cert, I understand that it is only for ID cert and not CA cert?

The question is how can I sync both unit to have same identical certificate TrustPoint number?

bergamok · ‎05-26-2015

Hi!

I have the same problem.

Have you ever found out how to copy the certificate on the standby ASA?

I have tried the "write standby" command on my ASA 8.2(1) but it does not work.

Thanks

Karsten Iwen · ‎05-26-2015

You certificates should sync to the standby unit. Is your failover working correctly? And are you using a recent ASA-version?

bergamok · ‎05-27-2015

The failover works fine, the CA certficate is replicated to the Standby ASA and also the command "ssl trust-point trustpoint-name interfacename ", but not the identity certificate.

I do have a quite old OS version.. ASA5520 with os 8.2(1), so maybe that's the problem..

Karsten Iwen · ‎05-27-2015

Upgrade to the newest 8.2 release (8.2(5)57 is the newest in your release-train) and try again.

CA Certificates for ASA on Active/Standby Configuration