Re: Export ASA user certificates

Chess Norris · ‎07-27-2023

Hello,

Trying to migrate a ASA 5585-X to a Firepower 1150 and have a question on exporting user certificate.

In ASDM, I can only see an option for exporting identity certificates, but not CA certificates. The identity certificate would only be for accessing the ASA webserver or ASDM, but I need the certificates that users use for identification (user certificates). I think those are located in ASDM under configuration->Remote Access VPN->Certificate Management-> CA certificates, but there's no export option there.

Thanks

/Chess

Rob Ingram · ‎07-27-2023

@Chess Norris as far as I remember exporting the certificate, exports the identity and CA certificates.

Example:- https://integratingit.wordpress.com/2019/09/28/asa-export-import-certificate/

Chess Norris · ‎07-27-2023

Thanks,

That was actually the guide I was looking at. However, he only mention how to export identity certificates and not the CA certificates from ASDM. Do I need to use the CLI for exporting CA certificates? In ASDM you have the option to import a CA certificate but not export. It's a bit weird.

Rob Ingram · ‎07-27-2023

@Chess Norris if you notice the trustpoint is being exported, where the trustpoint includes the identity and root certificate. You can use either CLI or ASDM, the steps in the guide look accurate to me.

Chess Norris · ‎07-27-2023

Under CA certificates in ASDM, I've got about 30 different certificates and about 10 trustpoints used by different VPN group policys, but no export option. Under Identity certificates, I only got two certificates and 2 trustpoints- one for ASDM and one for the outside interface. Do you mean, I will get all CA certificates just by exporting the two identity certificates?

/Chess

Rob Ingram · ‎07-27-2023

@Chess Norris on your ASA if you run "show crypto ca certificates" find your identity certificate, you will see what root CA certificate it's associated with (as per the first screenshot in that link provided). All certificates associated to that trustpoint are exported.

Chess Norris · ‎07-27-2023

I'm trying from the CLI now, but I only seem to be able to export the identity certificates. For the other Trustpoints, I get "Error: A required certificate or keypair was not found"

If I issue "show crypto ca certificates | include Trustpoint", it will give me about 20 different trustpoints. The are called something like "company_name_CA05_G3, company_name_CA04_G2" and so on. But those certificates doesn't seem to be exportable, because I get the "A required certificate or keypair was not found" error. Only the two certificates that I can see in the ASDM identity certificate directory are the ones that I can export.

/Chess

Rob Ingram · ‎07-27-2023

@Chess Norris if this is only required for authenticating RAVPN users, it sounds like it is easier to get the certificates from your Internal CA and import.

Chess Norris · ‎07-27-2023

@Rob Ingram Yes, you are probably right about that. However, I just discovered that the certificates I was unable to export, I could instead just copy and paste the relevant certificate configuration from the old ASA to the new ASA. Now those certificates shows up in the CA certificate directory in ASDM. So could it be that it's just the identitiy certificates that can/need to be properly exported, while for the CA certificates, I can just copy/paste the configuration?

MHM Cisco World · ‎07-27-2023

Anyconnect-ASA-CA

Why you need to export CA via ASA ?

The anyconnect/asa must have it CA cert from server.

Can you more elaborate

Chess Norris · ‎07-27-2023

I was able to just copy the certificate configuration from the old ASA and paste it to the new. After that all certificates from the old ASA was in the ASDM CA directory in the new ASA. It seems like only the identity certificates can be exported/imported.

/Chess