09-08-2014 07:03 AM
I have an ASA 5545x that is a production device for receiving all AnyConnect VPN traffic for our organization. We purchased and installed a Comodo certificate to create the trust level necessary for our employees to connect. I'm attempting to enable SSH on the device for management purposes, but the current <Default-RSA-Key> does not allow me to initiate a valid SSH session. I have encountered this issue on other ASAs within our organization, and it hasn't been an issue to simply zeroize the current key and regenerate it to restore the ability to SSH to the devices. Where the snag comes in is that this 5545x is the only ASA that has a key installed that wasn't self signed. With that in mind, I have a few questions about whether 3rd-party signed keys are dependent on the self-signed keys on the device. I intend to zeroize both the <Default-RSA-Key> and the <Default-RSA-Key>.server certificates if they will not affect my VPN-associated Comodo key.
Does the Comodo key depend on other keys existing on the ASA?
Am I free to zeroize only the <Default-RSA-Key> without affecting the VPN associated Comodo key?
Here is the result of the command "show crypto key mypubkey rsa" :
Key pair was generated at: 12:02:29 CDT Aug 19 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
<Redacted>
Key pair was generated at: 10:16:52 CDT Sep 20 2012
Key name: my.comodo.key
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
<Redacted>
Key pair was generated at: 01:35:42 CDT Jul 30 2014
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
<Redacted>
Thank you to any and all that assist me in understanding how the ASA handles certificate keys.
09-08-2014 10:59 AM
As long as the Comodo-signed certificate is bound to the my.comodo.key private key (i.e. you used that key when generating the certificate signing request), you should be fine to zeroize the Default-RSA-Key. The latter should ideally only be used for ssh access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide