シスコサポートコミュニティ
キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 

ASA LOCAL CA サーバの バックアップ方法&レストア方法

backup 手順

(1) バックアップ元の ASA から LOCAL CA サーバの設定を保存する。(show run としてもっておいて頂ければOKです)

     設定によって内容は異なりますが、大体この部分を後で使用します。

==================================================

crypto ca server 
 keysize server 1024
 issuer-name CN=asa-ca,OU=tac,O=cisco
 smtp from-address miarai@asa.local
 publish-crl inside 80
 publish-crl outside 80

==================================================

(2) trustpont LOCAL-CA-SERVER を export して保存する

==================================================

ciscoasa-1(config)# crypto ca export LOCAL-CA-SERVER pkcs12 cisco

Exported pkcs12 follows:

-----BEGIN PKCS12-----

MIIGLwIBAzCCBekGCSqGSIb3DQEHAaCCBdoEggXWMIIF0jCCBc4GCSqGSIb3DQEH

BqCCBb8wggW7AgEAMIIFtAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIGtW0

zB/dv/ACAQGAggWIA++GFAg12B37A7GCjWjcePrkepY5ekB5jkNmGx6hTxqSxmSW

xcNxlxUCI+j7D8PPFOc2NJPNUNV/WnyrSOnahrO5OOEMR5+cNT8BeIuCpE5Jfoyb

/LJZt1CeWVv0yZvRWp8wBNRHSxO4yTi0FGxJyoqzxok2LctQF8aT9SvE/4MFSsjj

iYRz6YzkUGp+jsctdVLLTko9J2MwzIji5La/l9igy2CIUnG30ELRW+nm1Z3HEJ0M

D6zLMMtCbkvMsrK6yp9vQCDOmt1S+knE3KJ5Uyvwf579DqKY8jf4IvnzTqpu8MJR

scPOFXQNrUyKZMlNvPGaJwNehDQGI0zJPa2BsNLGSEB6Z8hS7/BEftdKzZDJrk8D

cMmVQvYL1rhBBMNiRYrCog4U9PuldWfxuv8ylK6i5GWePyvJFIDQnYqoWFpS7YF0

KCk6SsyZfAxqgHNL7+ek4yR3GC+qHp//cmN9e/5BP02zKAI4nGQyoSCt9xmVUcdz

6ePhSLgms/pf6qjMEaI8vb5k4f4xrwmSHDiW5l1xzCNezUMA9rqkO2jF/2hWCvvL

/kh6tmWBfCMKWdNAZfENFUGRzVD9Tsdsj5dqJ2/5Eew5PrVrWD2g4K40USdH8/4a

iuGQRn2kwS6f2PIbrA+M0NOUVIUXjYvPdzKaGvAanXgi2r6fYOLqK4ZpxBnYYKVg

QzHciRRG0ljVLd/2fUC38+z/UcAO01BApwT9Fmx1mweV+UozuEit/jmMvNPMl8Pv

mlgEJu2sokMo1i8qfMSMMIZaTfe9Ps+/asM8CeX8SlaQMunznJb6DbHwUXzksa/s

DfhUcXuAD/cBIHQgWryO5gtxRrynAnzK/6VZ8ClQlyqBaCFo1e+VSylk1VXjThts

Cmy5DE5UoYihL7/7ftLjvGInJtaHJWgvm6KBDLR9/OSO7/u7W5JxW8wDwRaxPa5a

/zxKsR4HJT78lkkeyKfEUdNa++B0gYPHuC5HToKAhLZsNoZTVBKVEjLxwKxj44gh

3FMmH76KwUtaDyMd/NDI2x9wZDotIxukcp1lmyBQoegW97WiF4tKVopahJop2a1x

UFTUwJijqiXMux0HjqGhGeryHRv2QMByWG+J46aTxnxDBWrk2+maJmjOoyVMtdP5

J6LTDLTVvJu8XUhm5/1EZfETboE8ShTnt56+3CPxp/x452XWTthnekxD+fh0VXUL

NLpRjD7gu2DK+gPJwlXW4H9uG4R3XmFgVAOWX9vdu9qM98c8GMIPZZrPBqM4lzYn

n5VDX7PBZkpMXjCOPTn22h4YZ1vi7UU5UEfsayZB6WFaVQ2SQguPWNw3oA0EVHTc

wwJx6ll+AImP60QMMT0Golrat4EFbMr4iF9akzj5QTb0vK/fWYaW6m0KOXPzNAN9

iDfDyidMc+pIh6YP84OcQVmDsWrQgZGCcdhId4xsSFf/n5cwBL8CQ00jWcCU7ibJ

SkghY9Y7lwmQ1tZqZdkInwUQ10fFGNeeG73eH8HMoVqxG1t5qiFi41rF4DvZOQZ3

RkRsEAwBPHCfjUwz0xrw7ZQkefDIizR9Ql3HzS/12DK/JXSXEk/++acmmDD47Zc6

oORcCMBH8uKC+/Sr+pJpCaXiD6JZB2zS02ZUwli4K3boynERTIqR17y7p+vKUofR

i3MBF0pEtGXQ0vE6u4DpiSAg/bZ4rdd9Rf1kPp5+lBSRMZXTKn6q/FlOlhdmsiB0

fk7Jqz5K12h8amoBqGIMLxSzFcg+5Vwchlbl1OBwP9/NZklrfbxK6A4/1LXbL0tq

+uS87wlf4oYJoB6Wa50ATKArOaP5oSJkX8JAcN7lL5dR4UlAqRzTL0VJbDH+RIyE

iKSHhnYwKOt+N2KQoIzRzZES6jVRr0cMUVAuDpgMzoYTPKrPMD0wITAJBgUrDgMC

GgUABBRWSeRUSx0DXvmL+SFfxXftk7nLuAQUy4EpYCyzLe3iCqc18t73zf9PCUkC

AgQA

-----END PKCS12-----

ciscoasa-1(config)#

==================================================

(3) LOCAL CA サーバのデータベースフォルダである LOCAL-CA-SERVER/ の中身を全てバックアップします。

定期的にバックアップを取得しておいたほうが良いと思います。

==================================================

ciscoasa-1# show flash

--#--  --length--  -----date/time------  path

   94  15962112    Jun 07 2011 06:23:52  asa832-k8.bin

    3  2048        Mar 14 2011 06:13:06  log

   12  2048        Mar 14 2011 06:13:20  crypto_archive

   96  2812        Jun 07 2011 06:26:10  8_2_4_0_startup_cfg.sav

   13  2048        Mar 14 2011 06:13:26  coredumpinfo

   14  43          Mar 14 2011 06:13:26  coredumpinfo/coredump.cfg

   97  1138        Mar 14 2011 06:13:26  upgrade_startup_errors_201103140613.log

   98  6106        Apr 01 2011 01:58:14  conf.conf

   99  15261696    Apr 18 2011 10:34:42  asa824-k8.bin

  100  3047        Apr 19 2011 03:59:34  20110419-NEM.conf

  101  1138        Jun 07 2011 06:26:12  upgrade_startup_errors_201106070626.log

  102  260         Jun 20 2011 02:48:42  upgrade_startup_errors_201106200248.log

  103  13934592    Nov 11 2011 04:12:46  asa805-k8.bin

  107  16280544    Nov 24 2011 10:08:36  asdm-645.bin

  108  2048        Nov 24 2011 11:08:21  LOCAL-CA-SERVER

  117  32          Nov 24 2011 10:13:48  LOCAL-CA-SERVER/LOCAL-CA-SERVER.ser

  119  229         Nov 24 2011 10:13:48  LOCAL-CA-SERVER/LOCAL-CA-SERVER.cdb

  120  166         Nov 24 2011 11:08:21  LOCAL-CA-SERVER/LOCAL-CA-SERVER.udb

  115  230         Nov 24 2011 10:11:22  LOCAL-CA-SERVER/LOCAL-CA-SERVER.crl

  116  1587        Nov 24 2011 10:11:22  LOCAL-CA-SERVER/LOCAL-CA-SERVER.p12

  118  2213        Nov 24 2011 10:13:48  LOCAL-CA-SERVER/user-01.p12

127004672 bytes total (65228800 bytes free)

ciscoasa-1#

==================================================

赤字のファイルです。 copy コマンドでバックアップしてください。

レストア手順

(1) バックアップ手順の(1) で取得した、LOCAL CA の設定をレストア先の ASA にコピーします。

(2) パックアップ手順の(2) で取得した LOCAL CA サーバの証明書をインポートします。

==================================================

ciscoasa-1(config)# crypto ca import LOCAL-CA-SERVER pkcs12 ?

configure mode commands/options:

  WORD  Passphrase used to protect the pkcs12 data

ciscoasa-1(config)# crypto ca import LOCAL-CA-SERVER pkcs12 cisco

Enter the base 64 encoded pkcs12.

End with the word "quit" on a line by itself:

-----BEGIN PKCS12-----

MIIGLwIBAzCCBekGCSqGSIb3DQEHAaCCBdoEggXWMIIF0jCCBc4GCSqGSIb3DQEH

BqCCBb8wggW7AgEAMIIFtAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIGtW0

zB/dv/ACAQGAggWIA++GFAg12B37A7GCjWjcePrkepY5ekB5jkNmGx6hTxqSxmSW

xcNxlxUCI+j7D8PPFOc2NJPNUNV/WnyrSOnahrO5OOEMR5+cNT8BeIuCpE5Jfoyb

/LJZt1CeWVv0yZvRWp8wBNRHSxO4yTi0FGxJyoqzxok2LctQF8aT9SvE/4MFSsjj

iYRz6YzkUGp+jsctdVLLTko9J2MwzIji5La/l9igy2CIUnG30ELRW+nm1Z3HEJ0M

D6zLMMtCbkvMsrK6yp9vQCDOmt1S+knE3KJ5Uyvwf579DqKY8jf4IvnzTqpu8MJR

scPOFXQNrUyKZMlNvPGaJwNehDQGI0zJPa2BsNLGSEB6Z8hS7/BEftdKzZDJrk8D

cMmVQvYL1rhBBMNiRYrCog4U9PuldWfxuv8ylK6i5GWePyvJFIDQnYqoWFpS7YF0

KCk6SsyZfAxqgHNL7+ek4yR3GC+qHp//cmN9e/5BP02zKAI4nGQyoSCt9xmVUcdz

6ePhSLgms/pf6qjMEaI8vb5k4f4xrwmSHDiW5l1xzCNezUMA9rqkO2jF/2hWCvvL

/kh6tmWBfCMKWdNAZfENFUGRzVD9Tsdsj5dqJ2/5Eew5PrVrWD2g4K40USdH8/4a

iuGQRn2kwS6f2PIbrA+M0NOUVIUXjYvPdzKaGvAanXgi2r6fYOLqK4ZpxBnYYKVg

QzHciRRG0ljVLd/2fUC38+z/UcAO01BApwT9Fmx1mweV+UozuEit/jmMvNPMl8Pv

mlgEJu2sokMo1i8qfMSMMIZaTfe9Ps+/asM8CeX8SlaQMunznJb6DbHwUXzksa/s

DfhUcXuAD/cBIHQgWryO5gtxRrynAnzK/6VZ8ClQlyqBaCFo1e+VSylk1VXjThts

Cmy5DE5UoYihL7/7ftLjvGInJtaHJWgvm6KBDLR9/OSO7/u7W5JxW8wDwRaxPa5a

/zxKsR4HJT78lkkeyKfEUdNa++B0gYPHuC5HToKAhLZsNoZTVBKVEjLxwKxj44gh

3FMmH76KwUtaDyMd/NDI2x9wZDotIxukcp1lmyBQoegW97WiF4tKVopahJop2a1x

UFTUwJijqiXMux0HjqGhGeryHRv2QMByWG+J46aTxnxDBWrk2+maJmjOoyVMtdP5

J6LTDLTVvJu8XUhm5/1EZfETboE8ShTnt56+3CPxp/x452XWTthnekxD+fh0VXUL

NLpRjD7gu2DK+gPJwlXW4H9uG4R3XmFgVAOWX9vdu9qM98c8GMIPZZrPBqM4lzYn

n5VDX7PBZkpMXjCOPTn22h4YZ1vi7UU5UEfsayZB6WFaVQ2SQguPWNw3oA0EVHTc

wwJx6ll+AImP60QMMT0Golrat4EFbMr4iF9akzj5QTb0vK/fWYaW6m0KOXPzNAN9

iDfDyidMc+pIh6YP84OcQVmDsWrQgZGCcdhId4xsSFf/n5cwBL8CQ00jWcCU7ibJ

SkghY9Y7lwmQ1tZqZdkInwUQ10fFGNeeG73eH8HMoVqxG1t5qiFi41rF4DvZOQZ3

RkRsEAwBPHCfjUwz0xrw7ZQkefDIizR9Ql3HzS/12DK/JXSXEk/++acmmDD47Zc6

oORcCMBH8uKC+/Sr+pJpCaXiD6JZB2zS02ZUwli4K3boynERTIqR17y7p+vKUofR

i3MBF0pEtGXQ0vE6u4DpiSAg/bZ4rdd9Rf1kPp5+lBSRMZXTKn6q/FlOlhdmsiB0

fk7Jqz5K12h8amoBqGIMLxSzFcg+5Vwchlbl1OBwP9/NZklrfbxK6A4/1LXbL0tq

+uS87wlf4oYJoB6Wa50ATKArOaP5oSJkX8JAcN7lL5dR4UlAqRzTL0VJbDH+RIyE

iKSHhnYwKOt+N2KQoIzRzZES6jVRr0cMUVAuDpgMzoYTPKrPMD0wITAJBgUrDgMC

GgUABBRWSeRUSx0DXvmL+SFfxXftk7nLuAQUy4EpYCyzLe3iCqc18t73zf9PCUkC

AgQA

-----END PKCS12-----

quit

INFO: Import PKCS12 operation completed successfully

ciscoasa-1(config)#

==================================================

(3) バックアップ手順の(3) でバックアップした、LOCAL-CA-SERVER/ をレストア先の LOCAL-CA-SERVER

    の中にコピーします。

(4)  no shut にて LOCAL-CA-SRVER を有効にします。

ciscoasa-1(config-ca-server)# no shut

INFO: Certificate server is being enabled.

ciscoasa-1(config-ca-server)#

バージョン履歴
改訂番号
1/1
最終更新:
‎11-24-2011 08:48 PM
更新者:
 
タグ(2)