Showing results for 
Search instead for 
Did you mean: 

Will zeroizing and regenerating the <Default-RSA-Key> affect any other general purpose keys on my ASA 5545x?

I have an ASA 5545x that is a production device for receiving all AnyConnect VPN traffic for our organization. We purchased and installed a Comodo certificate to create the trust level necessary for our employees to connect. I'm attempting to enable SSH on the device for management purposes, but the current <Default-RSA-Key> does not allow me to initiate a valid SSH session. I have encountered this issue on other ASAs within our organization, and it hasn't been an issue to simply zeroize the current key and regenerate it to restore the ability to SSH to the devices. Where the snag comes in is that this 5545x is the only ASA that has a key installed that wasn't self signed. With that in mind, I have a few questions about whether 3rd-party signed keys are dependent on the self-signed keys on the device. I intend to zeroize both the <Default-RSA-Key> and the <Default-RSA-Key>.server certificates if they will not affect my VPN-associated Comodo key.

Does the Comodo key depend on other keys existing on the ASA?

Am I free to zeroize only the <Default-RSA-Key> without affecting the VPN associated Comodo key?

Here is the result of the command "show crypto key mypubkey rsa" :

Key pair was generated at: 12:02:29 CDT Aug 19 2014
Key name: <Default-RSA-Key>
 Usage: General Purpose Key
 Modulus Size (bits): 1024
 Key Data:


Key pair was generated at: 10:16:52 CDT Sep 20 2012
Key name: my.comodo.key
 Usage: General Purpose Key
 Modulus Size (bits): 2048
 Key Data:


Key pair was generated at: 01:35:42 CDT Jul 30 2014
Key name: <Default-RSA-Key>.server
 Usage: Encryption Key
 Modulus Size (bits): 768
 Key Data:


Thank you to any and all that assist me in understanding how the ASA handles certificate keys.

Everyone's tags (6)
Hall of Fame Guru

As long as the Comodo-signed

As long as the Comodo-signed certificate is bound to the my.comodo.key private key (i.e. you used that key when generating the certificate signing request), you should be fine to zeroize the Default-RSA-Key. The latter should ideally only be used for ssh access.