Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
3
Replies

Where are certificates used on this ASA (8.4)?

Go to solution
jwbensley
Level 1
Level 1

‎08-28-2012 03:21 AM

I have access to an ASA running 8.4 and I need to copy the config to another one, to have it has as a spare.

All configuration has coppied fine except for this part in the config;

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=GS2-NT-FIR-01

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate c4999f4f

    30820248 308201b1 a0030201 020204c4 999f4f30 0d06092a 864886f7 0d010105

    05003036 31163014 06035504 03130d47 53322d4e 542d4649 522d3031 311c301a

........

.......lots of HEX

.......

quit

So firstly, I assume this certificate is for the SSL vpn that is configured on the ASA? Secondly, this wouldn't copy across (the HEX part). But I believe this ASA is using a self signed cert so instead I probably ned to generate a new one on this spare ASA, so how do I do that?

Many thanks,

J.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-28-2012 03:46 AM

The cert is self-signed, so you can enroll a new one on the second ASA.

Depending on your config it still could be that you are missing relevant parts as many things with VPNs are not in the config any more. Instead they are stored in flash.

To have a complete backup you can use the ASDM where you have a Backup- and restore functionality included.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎08-28-2012 03:46 AM

The cert is self-signed, so you can enroll a new one on the second ASA.

Depending on your config it still could be that you are missing relevant parts as many things with VPNs are not in the config any more. Instead they are stored in flash.

To have a complete backup you can use the ASDM where you have a Backup- and restore functionality included.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
jwbensley
Level 1
Level 1
In response to Karsten Iwen

‎08-28-2012 07:43 AM

Hi Karsten,

Thanks for the reply. Yeah I have checked through the flash for and files in there and copied those across and I have generated a new self-signed cert. Thanks for confirming that.

For others wanting to generate a self-signed cert, I used the commands here: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/unified_comm_cups.html#wp1317760

Cheers.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to jwbensley

‎08-28-2012 07:51 AM

There are also hidden files for things like Bookmarks and so on. These are not that easy to backup by hand ... Don't forget them if you have them used.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents