Export and import the trustpoint

Posted on March 16, 2012

0



To test something in a Lab with another firewall or migrate a whole VPN with certificate to another ASA firewall we have a possibility to migrate the certificate of the firewall to another one. To do it so easily on a Checkpoint firewall  will be always just a dream…

The exported data holds the followings:
– private key
– public key (RSA key)
– certificates (ca certificates as well, need to test)

myfirewall01/act/pri(config)# crypto ca export mytrustpoint1 pkcs12 mypassword123Exported pkcs12 follows:
—–BEGIN PKCS12—–
MIIMlwIBAzCCDFEGCSqGSIb3DQEHAaCCDEIEggw+MIIMOjCCDDYGCSqGAab3DQEH


MAkGBSsOAwIaBQAEFJ03htn2lF5i8Xw8kXSMWepTflePBBRykjcWlBrSumQneOpl
9ULtbTmhugICBAA=
—–END PKCS12—–

What if we delete the the trustpoint, we have exported it. Let’s test it:

myfirewall01/act/pri(config)# no crypto ca trustpoint mytrustpoint1
WARNING: Removing an enrolled trustpoint will destroy all
certificates received from the related Certificate Authority.Are you sure you want to do this? [yes/no]: yes
INFO: Be sure to ask the CA administrator to revoke your certificates.
myfirewall01/act/pri(config)#

Import it to the another firewall:

First we create a raw trustpoint that will contains the imported trustpoint:

myfirewall02/act/pri(config)# crypto ca trustpoint mytrustpoint1
myfirewall02/act/pri(config-ca-trustpoint)# exit

And import the trustpoint in the new firewall:

myfirewall02/act/pri(config)# crypto ca import mytrustpoint1 pkcs12 mypassword123

Enter the base 64 encoded pkcs12.
End with the word “quit” on a line by itself:
—–BEGIN PKCS12—–
MIIMlwIBAzCCDFEGCSqGSIb3DQEHAaCCDEIEggw+MIIMOjCCDDYGCSqGAab3DQEH


MAkGBSsOAwIaBQAEFJ03htn2lF5i8Xw8kXSMWepTflePBBRykjcWlBrSumQneOpl
9ULtbTmhugICBAA=
—–END PKCS12—–
quit
WARNING: Identical public key already exists as ms_cert_key
INFO: Import PKCS12 operation completed successfully
myfirewall02/act/pri(config)#

Lets check it out what changed in the config:

myfirewall02/act/pri(config)# show run crypto ca trustpoint mytrustpoint1
crypto ca trustpoint mytrustpoint1
keypair ms_cert_key
crl configure
myfirewall02/act/pri(config)#

The RSA keypair is updated under the trustpoint.

myfirewall02/act/pri(config)# show run crypto ca trustpoint mytrustpoint1
crypto ca trustpoint mytrustpoint1
keypair ms_cert_key
crl configure
myfirewall02/act/pri(config)#

That’s it.

Advertisements
Posted in: ASA, Cisco, Security, VPN