Certificate Backup and Installation - Trustpoints


Feb 9, 2011 3:05 AM
Oct 17th, 2010

IOS and ASA use the same trustpoint model for storing certificates in the configuration.  A trustpoint just a container in which certificates are stored.  A trust point can hold up to two certificates.

  1. An identity certificate (a certificate that the router owns the corresponding private key)
  2. A certificate authority certificate (a certificate that is signed by  another party.  The router doesn't own the matching private key)

Once a certificate has been generated and installed into a device it is possible to export the whole certificate chain and private key pair for storage in a secure location.  It is important to backup up identity certificates in case of device failure.  In a case where you have control over the certificate authority it is trivial to issue another certificate but in cases where there are financial costs (i.e. a certificate issued from Verisign, Thawte, GoDaddy, etc) to reissue another certificate it may be beneficial to import the backed up certificate into the new device.

To backup a certificate via the command line do the following, where TrustPoint1 is the trust point name and cisco123 is the password used to encrypt the output:

--On ASA--

config t

ciscoASA(config)# crypto ca export TrustPoint1 pkcs12 cisco123

--On Router--

config t

ciscoIOS(config)# crypto pki export TrustPoint1 pkcs12 terminal cisco123

This will output a long text string.  That is a base64 encoded pkcs12.  A pkcs12 is a standardized container that carries the identity certificate, it's matching private key, and all the remaining certificates within the chain.  Below is an example of the output you should see

Exported pkcs12 follows:
-----BEGIN PKCS12-----





-----END PKCS12-----

To import the certificate into the router/asa the process is reversed.

--On router--

config t

ciscoIOS(config)#crypto pki import TrustPoint2 pkcs12 terminal cisco123

<paste in the base64 encoded pkcs12>


--On ASA--

config t

ciscoASA(config)# crypto ca import TrustPoint2 pkcs12 cisco123

<paste in the base64 encoded pkcs12>


You can verify the installation by issuing the command "show crypto ca certificates"


RSA keys are stored in the flash in a hidden partition that can not be accessed. On IOS at time of RSA key generation the exportable keyword must be specified.  Otherwise the router will be unable to export the key, making the pkcs12 export fail.  ASA RSA keys are always exportable and do not have this limitation.

Overall Rating: 5 (4 ratings)


Login or Register to take actions

This Document

Posted October 17, 2010 at 7:20 AM
Updated February 9, 2011 at 3:05 AM
Comments:0 Overall Rating:5
Views:20698 Contributors:0

Related Content