Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN3000 with Certificate Backup

Hi there,

can somebody tell me if it´s possible to backup a vpn3000 config and its certificate/generated keys in case of hardware failure. If not i have to generate new keys, get a new certificate and tell this all my clients, routers, firewalls ? (which sounds horrible!).

Regards,

Thomas

2 REPLIES
New Member

Re: VPN3000 with Certificate Backup

Correct me if I am wrong but I think it is not possible to backup the private key generated by the failure hardware, be it VPN3000, routers or PIXes. Because it is always hidden and can`t be viewed from the menu or console. I don`t see any menu on the VPN3000, to backup its own private key. Even if you have the VPN3000`s certificate, seems like it is not possible to restore it. So, the new hardware replacing the failure one has to genereate a new private key and get a public key certified by its trusted root CA. One doesn`t need to announce this new certificate to all clients of the new hardware (routers, firewalls). If there is a need to create a VPN tunnel between the new hardware and the other side, the two VPN devices will authenticate themself using the certificates. If the peer`s certificate issued by its trusted CA, then the device will trust the certifcate (and vice-versa) and continue to the next phase of negotiation.

Regards,

Cisco Employee

Re: VPN3000 with Certificate Backup

Hello Thomas,

It is possible to manually backup the certificates with private keys from the VPN3k web-interface.

1. Log into the web-administration

2. Navigate to Administration->Certificate Management

3. Select Export for the certificate you wish to backup.

4. The VPN3k will request a password to encrypt the prifvate RSA key.

5. When you enter the password and click export the certificate and key will be saved as CERTEXP.TXT on the VPN3K flash and it will try to popup a window showing the data.  Copy this data and store it somewhere, remember the key

That exported certificate can be imported to the VPN3k Via the Certificate Management->Installation section using the Import SSL certificate with private key link.

The export/import format that the VPN3k uses is not a standard PKCS12, it is a PKCS8 encrypted private key in Base64 with the X509 certificate in base64 encoding.

I don't think the XML Export option gives you the certificates, so to have a full backup you would need both items.

I hope this helps,
Craig

407
Views
0
Helpful
2
Replies
CreatePlease login to create content