cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
24902
Views
5
Helpful
4
Replies
manish arora
Frequent Contributor

move SSL Cert from one device to another on Cisco ASA

Hello Everyone,

Is it possible to move SSL certificate + Key from one cisco asa to another ? I hope its possible and if someone can guide me towards correct documentation that would be perfect.

thank you

Manish

1 ACCEPTED SOLUTION

Accepted Solutions
Julio Carvajal
Advisor

Hello,

This document will do it for you

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml#copycert

Check the How to copy SSL certificates from one ASA to another      

Regards,

Any other question..Sure.. Just remember to rate all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 REPLIES 4
Julio Carvajal
Advisor

Hello,

This document will do it for you

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml#copycert

Check the How to copy SSL certificates from one ASA to another      

Regards,

Any other question..Sure.. Just remember to rate all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Thanks dude !

Manish

We have an ASA5550 running 8.2(5) that we're using as a VPN terminator; it died yesterday when we had a power glitch in the data center, and we're temporarily installing a spare 5510 (we don't have a spare 5550) until it's replaced.  But the RSA keys on the spare don't match the ones on the old firewall, so when we try to install the old cert it fails:

ERROR: Keypair cannot be found for trustpoint UMVPN3-INCOMMON-MAY2020.

The old ASA is dead, so we can't do a straight export/import - all we have to work with is what's in yesterday's config backup...

I gather there's no way to extract the original keys from this; is there any way to recover in this case?  Or must we export the certs from the ASAs with a "crypto ca export" and save copies of these in a secure location?

Mark Walters
Beginner

worth noting that RSA keys on an ASA can be exported at any time.  that's not the case with RSA keys on an IOS device, which require that you iniially create the keys with the "exportable" keyword.

https://supportforums.cisco.com/docs/DOC-13553

cheers

mark

Content for Community-Ad