Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
5
Helpful
4
Replies

certificate update

Go to solution
Network Pro
Level 1
Level 1

‎09-12-2013 08:28 AM - edited ‎03-11-2019 07:37 PM

hi,

i have a cisco 5500 ASA running on 1024 bit certificate. Now i need to update to 2048. how do i go about doing this ? do i remove the exisiting certificate and then add the new one or can i simply update with the exisiting one ?

if anyone has a link with step by step instructions please post

Thanks                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-12-2013 09:22 AM

Hello,

ciscoasa(config)# sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: 87f73152

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    serialNumber=123456789AB+hostname=ciscoasa

  Subject Name:

    serialNumber=123456789AB+hostname=ciscoasa

  Validity Date:

    start date: 17:19:34 UTC Sep 12 2013

    end   date: 17:19:34 UTC Sep 10 2023

  Associated Trustpoints: test

So I will create a new crypto-key

ciscoasa(config)# crypto key generate rsa label Jcarvaja modulus 2048

INFO: The name for the keys will be: Jcarvaja

Keypair generation process begin. Please wait...

ciscoasa(config)#

ciscoasa(config)# sh crypto key mypubkey rsa

Key pair was generated at: 17:18:56 UTC Sep 12 2013

Key name:

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a534df

  1b982cf7 eeca1dd7 7c6e60d8 da8a68df b5df8e07 a18c29c2 2ec277af 0a0363e8

  35261ceb 6998cbdf c50950bd baaa22ff 5a695555 34095a5d 5a3c6fa4 ec6e6b9b

  0984f847 4fab0b08 dc4f7bb7 2049a590 9651a50a 32f1c952 684e234d e60c6e4c

  e8b8fad6 e4a0aa21 787b37ad 40e6470d 742c80bc 9b317d4c 1c514a42 d7020301 0001

Key pair was generated at: 17:21:14 UTC Sep 12 2013

Key name: Jcarvaja

Usage: General Purpose Key

Modulus Size (bits): 2048

Key Data:

  30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101

  00f7abfc 0220f7f2 388f6ed8 77566e3d 88a0c62e da191353 194e6ef1 d01adfe5

  d3450563 92ff0182 34589c8e 2e3f4354 a8ecfd46 a7ae5a81 e3da135e 5877a8ff

  36f67049 ce888256 9a69a3d5 2b26b00e 02bf48e5 2b7e1342 f1aa5e5b 30e148f2

  c9543619 53c9c1da 476cf61c 5783a4ff e961fcaa 6c1c2b97 85a7b6fc 7ceee876

  bc733a7f 26581e5a f6936bc7 62c69ba0 f91261d4 a6da281b f29da920 3417cd28

  4d229274 ff4ebaa2 729248eb 67060228 622506ef 72ec7486 414db626 5f6f1b5b

  0645fdfa c05e5b60 79f7bcfb f645d069 475846c6 3a2c1b4c 63c0559e 8165792d

  8da4ff8f cd1c4c06 9569f448 538a6ce4 73bf6273 23ccbe3d f0b273ca 4a7bd293

  c7020301 0001

Now, let's set it into the certificate

ciscoasa(config)# crypto ca trustpoint test

ciscoasa(config-ca-trustpoint)# keypair Jcarvaja

Afterwards the certificate will not be shown as we changed it, we need to enroll once.

ciscoasa# sh crypto ca certificates

ciscoasa#

ciscoasa(config)# crypto ca enroll test noconfirm

% The fully-qualified domain name in the certificate will be: ciscoasa

ciscoasa(config)# sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: 88f73152

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    serialNumber=123456789AB+hostname=ciscoasa

  Subject Name:

    serialNumber=123456789AB+hostname=ciscoasa

  Validity Date:

    start date: 17:24:12 UTC Sep 12 2013

    end   date: 17:24:12 UTC Sep 10 2023

  Associated Trustpoints: test

That's it

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-12-2013 09:22 AM

Hello,

ciscoasa(config)# sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: 87f73152

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    serialNumber=123456789AB+hostname=ciscoasa

  Subject Name:

    serialNumber=123456789AB+hostname=ciscoasa

  Validity Date:

    start date: 17:19:34 UTC Sep 12 2013

    end   date: 17:19:34 UTC Sep 10 2023

  Associated Trustpoints: test

So I will create a new crypto-key

ciscoasa(config)# crypto key generate rsa label Jcarvaja modulus 2048

INFO: The name for the keys will be: Jcarvaja

Keypair generation process begin. Please wait...

ciscoasa(config)#

ciscoasa(config)# sh crypto key mypubkey rsa

Key pair was generated at: 17:18:56 UTC Sep 12 2013

Key name:

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a534df

  1b982cf7 eeca1dd7 7c6e60d8 da8a68df b5df8e07 a18c29c2 2ec277af 0a0363e8

  35261ceb 6998cbdf c50950bd baaa22ff 5a695555 34095a5d 5a3c6fa4 ec6e6b9b

  0984f847 4fab0b08 dc4f7bb7 2049a590 9651a50a 32f1c952 684e234d e60c6e4c

  e8b8fad6 e4a0aa21 787b37ad 40e6470d 742c80bc 9b317d4c 1c514a42 d7020301 0001

Key pair was generated at: 17:21:14 UTC Sep 12 2013

Key name: Jcarvaja

Usage: General Purpose Key

Modulus Size (bits): 2048

Key Data:

  30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101

  00f7abfc 0220f7f2 388f6ed8 77566e3d 88a0c62e da191353 194e6ef1 d01adfe5

  d3450563 92ff0182 34589c8e 2e3f4354 a8ecfd46 a7ae5a81 e3da135e 5877a8ff

  36f67049 ce888256 9a69a3d5 2b26b00e 02bf48e5 2b7e1342 f1aa5e5b 30e148f2

  c9543619 53c9c1da 476cf61c 5783a4ff e961fcaa 6c1c2b97 85a7b6fc 7ceee876

  bc733a7f 26581e5a f6936bc7 62c69ba0 f91261d4 a6da281b f29da920 3417cd28

  4d229274 ff4ebaa2 729248eb 67060228 622506ef 72ec7486 414db626 5f6f1b5b

  0645fdfa c05e5b60 79f7bcfb f645d069 475846c6 3a2c1b4c 63c0559e 8165792d

  8da4ff8f cd1c4c06 9569f448 538a6ce4 73bf6273 23ccbe3d f0b273ca 4a7bd293

  c7020301 0001

Now, let's set it into the certificate

ciscoasa(config)# crypto ca trustpoint test

ciscoasa(config-ca-trustpoint)# keypair Jcarvaja

Afterwards the certificate will not be shown as we changed it, we need to enroll once.

ciscoasa# sh crypto ca certificates

ciscoasa#

ciscoasa(config)# crypto ca enroll test noconfirm

% The fully-qualified domain name in the certificate will be: ciscoasa

ciscoasa(config)# sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: 88f73152

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    serialNumber=123456789AB+hostname=ciscoasa

  Subject Name:

    serialNumber=123456789AB+hostname=ciscoasa

  Validity Date:

    start date: 17:24:12 UTC Sep 12 2013

    end   date: 17:24:12 UTC Sep 10 2023

  Associated Trustpoints: test

That's it

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Network Pro
Level 1
Level 1
In response to Julio Carvajal

‎09-16-2013 01:29 AM

hi,

is this simple, does it require any downtime ? so will this process replace the existing certificate ? and what is the rollback ?

Thanks

0 Helpful

Go to solution
robinsra82
Level 1
Level 1
In response to Julio Carvajal

‎10-08-2013 01:15 PM

I have the same questions that Network Pro had and I guess I would also like the answer to his questions. I assume that someone has these answers since this was last posted in March of 2011.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to robinsra82

‎10-08-2013 09:39 PM

You saw on the post that the certificate was removed after the change so you will need to set it once back with the right RSA key, Afterwards you should be up and running.

Just check the lab recreation I did above....

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card