Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help reinstalling certificate after factory reset

I have a ASA 5512x running ver 9.1(2) ASDM Ver7.1 (3), I had to do a factory reset on the device and Now when I use the anyconnect vpn wizzard and I try to install the certificate that was on the device prior to the reset I am getting  ERROR:Import PKCS12 operation failed.

The old certificate was generated by this device.

How do I reinstall the old certificate?

 

Thanks

Scott

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

You can, but you still need

You can, but you still need their intermediate certificate so the ASA can establish a chain of trust from the issued certificate (whether it's the originally issued or re-issued one)

10 REPLIES
Hall of Fame Super Silver

How did you extract the old

How did you extract the old certificate? You need to have both the certificate and associated RSA key - both are included when you use the method noted here:

crypto ca export [trustpoint name] pkcs12 [export password]
crypto ca import [trust point name] pkcs12 [password used to export]

Unless you also have a backup of the RSA key used to sign the old self-signed certificate, it will not be possible to reinstall it onto the device.

New Member

Marvin,Thanks for the reply,

Marvin,

Thanks for the reply,

 

I do have a copy of the RSA key. and I have a copy of the certificate itself.

What steps would I need to take to add the certificate back to the 5512.

 

Thanks

 

Hall of Fame Super Silver

Did you do the export in

Did you do the export in pkcs12 format as noted above? That creates a combined file with both the certificate and signing key.

If so, the second step noted above is the command used to re-import the pkcs12 file.

New Member

No I did not do the export at

No I did not do the export at all, all that was done was I just went into file and then Reset device to factory defaults. I didnt even consider the certificate.....

 

Hall of Fame Super Silver

As far as I know the only way

As far as I know the only way to restore a self-signed certificate is via the export / import method noted above.

If you haven't done the export before blowing away the configuration, you'll need to create a new key and use if to create a new self-signed certificate. This is among the reasons why Cisco strongly encourages use of a public CA or PKI for your certificates - they're generally much more recoverable.

New Member

We bought this certificate

We bought this certificate from GoDaddy.  If that helps.

Hall of Fame Super Silver

Oh. Earlier you said the

Oh. Earlier you said the certificate was generated by the device (i.e., self-signed).

If you're re-installing a GoDaddy certificate, you need to make sure you have first installed their intermediate certificate so that the ASA can link the device (identity) certificate back to the GoDaddy root CA.

Please refer to this external article.

New Member

Thanks I will try that. Sorry

Thanks I will try that.

 

Sorry about the confusion, I am new to this ASA.

New Member

Could I just regenerate a

Could I just regenerate a request from the ASA and rekey the cert on Godaddy?

Thanks

 

Hall of Fame Super Silver

You can, but you still need

You can, but you still need their intermediate certificate so the ASA can establish a chain of trust from the issued certificate (whether it's the originally issued or re-issued one)

98
Views
5
Helpful
10
Replies