Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
0
Helpful
2
Replies

%Key pair with hostname xxxx will be invalid

Go to solution
sjamison
Level 1
Level 1

‎11-08-2004 06:58 AM

Our domain name has changed. I also want to change the hostname of the firewall. However, when I do, I get this error.

We have a few Tunnels built between some firewalls. Is this what is generating that error? What do I need to do to get everything changed over?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-08-2004 03:08 PM

You have previously generated a public/private key pair on this pix, and the pix uses the configured hostname and domain name to generate these. These keys are used for PDM/SSH access, and for VPN's if you're using certificates.

If the tunnels you have are using pre-shared keys, then regenerating a new key pair won't affect those. It will affect your SSH access, but your SSH client will just exchange the new key pair and everything should be fine.

The best way to do this will be to remove your existing key pair, change the domain and hostname, then regenerate the new key pair as follows:

ca zeroize rsa

domain-name blah.com

hostname blahblahblah

ca generate rsa key 1024

ca save all

If you are using certificates for your tunnels, then you'll need to re-enroll your PIX with your CA server and get a new identity cert.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1025473 for details.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-08-2004 03:08 PM

You have previously generated a public/private key pair on this pix, and the pix uses the configured hostname and domain name to generate these. These keys are used for PDM/SSH access, and for VPN's if you're using certificates.

If the tunnels you have are using pre-shared keys, then regenerating a new key pair won't affect those. It will affect your SSH access, but your SSH client will just exchange the new key pair and everything should be fine.

The best way to do this will be to remove your existing key pair, change the domain and hostname, then regenerate the new key pair as follows:

ca zeroize rsa

domain-name blah.com

hostname blahblahblah

ca generate rsa key 1024

ca save all

If you are using certificates for your tunnels, then you'll need to re-enroll your PIX with your CA server and get a new identity cert.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1025473 for details.

0 Helpful

Go to solution
sjamison
Level 1
Level 1
In response to gfullage

‎11-10-2004 08:16 AM

That fixed it up exactly as I needed it to! Thanks!

0 Helpful
Customers Also Viewed These Support Documents