Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Replacement ASA - Copying Production ASA Config to Replacement ASA

Hello all:

I'm performing an upgrade on a spare ASA5520 from 7.2(1) to 7.2(2-14). I'm trying to copy the config from an ASA that is in production and would like to replace it with the ASA I am upgrading. I am able to copy the running-config to the replacement ASA, however the SSL Certificate is giving me problems. I receive and error of .....ERROR: Public key contained in the device certificate doesn't match the device's public key <Default-RSA-Key> configured for trustpoint %trustpointname%. Device certificate is not installed.

I am able to get into the CLI, but can not access the device from the ASDM client. Any help would be very appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Replacement ASA - Copying Production ASA Config to Replaceme

Yes the above commands looks good..first replicate the configuration to the ASA...and then import the certificate from the trustpoint

8 REPLIES
Cisco Employee

Re: Replacement ASA - Copying Production ASA Config to Replaceme

delete the current keys

ca zeroize rsa

..disable the trustpoint from your config and then create new keys

Community Member

Re: Replacement ASA - Copying Production ASA Config to Replaceme

Hey Abinjola,

Thanks for the reply. I'm not sure how to disable the Trustpoint and how to create new keys.

Thanks!

Cisco Employee

Re: Replacement ASA - Copying Production ASA Config to Replaceme

if you have disabled the web VPN COnfig (trust points from the config) and still getting the error mesage then check this :-

CSCsc08926

http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl

Cisco Employee

Re: Replacement ASA - Copying Production ASA Config to Replaceme

can you please update me about this ...

Community Member

Re: Replacement ASA - Copying Production ASA Config to Replaceme

Hi abinjola,

I've removed the trustpoint (no crypto trustpoint %trustpointname%, however I'm not sure how to create new keys once I have done that. Could you provide me with the steps for disabling trustpoint, and creating new keys?

thank you for all your help!

Cisco Employee

Re: Replacement ASA - Copying Production ASA Config to Replaceme

crypto key gen rsa modulus 1024

Community Member

Re: Replacement ASA - Copying Production ASA Config to Replaceme

sorry for so many questions (new at this)

steps:

1 - no crypto ca trustpoint %trustpointname% (delete trustpoint)

2 - ca zeroize rsa (remove rsa keys)

3 - crypto key gen rsa modulus 1024

Then I will need to import my SSL Cert?

Cisco Employee

Re: Replacement ASA - Copying Production ASA Config to Replaceme

Yes the above commands looks good..first replicate the configuration to the ASA...and then import the certificate from the trustpoint

2832
Views
5
Helpful
8
Replies
CreatePlease to create content