Solved: Need help reinstalling certificate after factory reset

smason1970 · ‎06-03-2014

I have a ASA 5512x running ver 9.1(2) ASDM Ver7.1 (3), I had to do a factory reset on the device and Now when I use the anyconnect vpn wizzard and I try to install the certificate that was on the device prior to the reset I am getting ERROR:Import PKCS12 operation failed.

The old certificate was generated by this device.

How do I reinstall the old certificate?

Thanks

Scott

Marvin Rhoads · ‎06-04-2014

You can, but you still need their intermediate certificate so the ASA can establish a chain of trust from the issued certificate (whether it's the originally issued or re-issued one)

View solution in original post

Marvin Rhoads · ‎06-03-2014

How did you extract the old certificate? You need to have both the certificate and associated RSA key - both are included when you use the method noted here:

crypto ca export [trustpoint name] pkcs12 [export password]

crypto ca import [trust point name] pkcs12 [password used to export]

Unless you also have a backup of the RSA key used to sign the old self-signed certificate, it will not be possible to reinstall it onto the device.

smason1970 · ‎06-03-2014

Marvin,

Thanks for the reply,

I do have a copy of the RSA key. and I have a copy of the certificate itself.

What steps would I need to take to add the certificate back to the 5512.

Thanks

Marvin Rhoads · ‎06-03-2014

Did you do the export in pkcs12 format as noted above? That creates a combined file with both the certificate and signing key.

If so, the second step noted above is the command used to re-import the pkcs12 file.

smason1970 · ‎06-03-2014

No I did not do the export at all, all that was done was I just went into file and then Reset device to factory defaults. I didnt even consider the certificate.....

Marvin Rhoads · ‎06-03-2014

As far as I know the only way to restore a self-signed certificate is via the export / import method noted above.

If you haven't done the export before blowing away the configuration, you'll need to create a new key and use if to create a new self-signed certificate. This is among the reasons why Cisco strongly encourages use of a public CA or PKI for your certificates - they're generally much more recoverable.

smason1970 · ‎06-03-2014

We bought this certificate from GoDaddy. If that helps.

Marvin Rhoads · ‎06-03-2014

Oh. Earlier you said the certificate was generated by the device (i.e., self-signed).

If you're re-installing a GoDaddy certificate, you need to make sure you have first installed their intermediate certificate so that the ASA can link the device (identity) certificate back to the GoDaddy root CA.

Please refer to this external article.

smason1970 · ‎06-03-2014

Thanks I will try that.

Sorry about the confusion, I am new to this ASA.

smason1970 · ‎06-04-2014

Could I just regenerate a request from the ASA and rekey the cert on Godaddy?

Thanks

Marvin Rhoads · ‎06-04-2014

You can, but you still need their intermediate certificate so the ASA can establish a chain of trust from the issued certificate (whether it's the originally issued or re-issued one)