cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1917
Views
0
Helpful
4
Replies

CA Certificates for ASA on Active/Standby Configuration

Boon Keat Gan
Beginner
Beginner

Hi Guys,

We currently setup an Active/Standby ASA Firewall and with SSL VPN enabled. We found that the Certificate does not sync to standby unit. However, I manually import the CA certificate into Standby unit and somehow it will dissapear after sometime.

I understand that we need to do some Export and Import CA Certificates on ASA to make both have identical setting.

I tried the following command:-

crypto ca export trustpoint

Example:

hostname(config)# crypto ca export Main

crypto ca import trustpoint pkcs12

Example:

hostname(config)# crypto ca import Main  pkcs12

But failed to export out the cert, I understand that it is only for ID cert and not CA cert?

The question is how can I sync both unit to have same identical certificate TrustPoint number?

4 REPLIES 4

bergamok
Beginner
Beginner

Hi!

I have the same problem.

Have you ever found out how to copy the certificate on the standby ASA?

I have tried the "write standby" command on my ASA 8.2(1)  but it does not work.

 

Thanks

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

You certificates should sync to the standby unit. Is your failover working correctly? And are you using a recent ASA-version?

The failover works fine, the CA certficate is replicated to the Standby ASA  and also the command "ssl trust-point trustpoint-name interfacename ", but not the identity certificate.

 

I do have a quite old OS version.. ASA5520  with os  8.2(1), so maybe that's the problem..

 

Upgrade to the newest 8.2 release (8.2(5)57 is the newest in your release-train) and try again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: