To test something in a Lab with another firewall or migrate a whole VPN with certificate to another ASA firewall we have a possibility to migrate the certificate of the firewall to another one. To do it so easily on a Checkpoint firewall will be always just a dream…
The exported data holds the followings:
– private key
– public key (RSA key)
– certificates (ca certificates as well, need to test)
| myfirewall01/act/pri(config)# crypto ca export mytrustpoint1 pkcs12 mypassword123Exported pkcs12 follows: —–BEGIN PKCS12—– MIIMlwIBAzCCDFEGCSqGSIb3DQEHAaCCDEIEggw+MIIMOjCCDDYGCSqGAab3DQEH … … MAkGBSsOAwIaBQAEFJ03htn2lF5i8Xw8kXSMWepTflePBBRykjcWlBrSumQneOpl 9ULtbTmhugICBAA= —–END PKCS12—– |
What if we delete the the trustpoint, we have exported it. Let’s test it:
| myfirewall01/act/pri(config)# no crypto ca trustpoint mytrustpoint1 WARNING: Removing an enrolled trustpoint will destroy all certificates received from the related Certificate Authority.Are you sure you want to do this? [yes/no]: yes INFO: Be sure to ask the CA administrator to revoke your certificates. myfirewall01/act/pri(config)# |
Import it to the another firewall:
First we create a raw trustpoint that will contains the imported trustpoint:
| myfirewall02/act/pri(config)# crypto ca trustpoint mytrustpoint1 myfirewall02/act/pri(config-ca-trustpoint)# exit |
And import the trustpoint in the new firewall:
| myfirewall02/act/pri(config)# crypto ca import mytrustpoint1 pkcs12 mypassword123
Enter the base 64 encoded pkcs12. |
Lets check it out what changed in the config:
| myfirewall02/act/pri(config)# show run crypto ca trustpoint mytrustpoint1 crypto ca trustpoint mytrustpoint1 keypair ms_cert_key crl configure myfirewall02/act/pri(config)# |
The RSA keypair is updated under the trustpoint.
| myfirewall02/act/pri(config)# show run crypto ca trustpoint mytrustpoint1 crypto ca trustpoint mytrustpoint1 keypair ms_cert_key crl configure myfirewall02/act/pri(config)# |
That’s it.
itsecworks 
Posted on March 16, 2012
0