I have a ASA 5512x running ver 9.1(2) ASDM Ver7.1 (3), I had to do a factory reset on the device and Now when I use the anyconnect vpn wizzard and I try to install the certificate that was on the device prior to the reset I am getting ERROR:Import PKCS12 operation failed.
The old certificate was generated by this device.
How do I reinstall the old certificate?
Solved! Go to Solution.
How did you extract the old certificate? You need to have both the certificate and associated RSA key - both are included when you use the method noted here:
crypto ca export [trustpoint name] pkcs12 [export password]
crypto ca import [trust point name] pkcs12 [password used to export]
Unless you also have a backup of the RSA key used to sign the old self-signed certificate, it will not be possible to reinstall it onto the device.
Thanks for the reply,
I do have a copy of the RSA key. and I have a copy of the certificate itself.
What steps would I need to take to add the certificate back to the 5512.
Did you do the export in pkcs12 format as noted above? That creates a combined file with both the certificate and signing key.
If so, the second step noted above is the command used to re-import the pkcs12 file.
No I did not do the export at all, all that was done was I just went into file and then Reset device to factory defaults. I didnt even consider the certificate.....
As far as I know the only way to restore a self-signed certificate is via the export / import method noted above.
If you haven't done the export before blowing away the configuration, you'll need to create a new key and use if to create a new self-signed certificate. This is among the reasons why Cisco strongly encourages use of a public CA or PKI for your certificates - they're generally much more recoverable.
Oh. Earlier you said the certificate was generated by the device (i.e., self-signed).
If you're re-installing a GoDaddy certificate, you need to make sure you have first installed their intermediate certificate so that the ASA can link the device (identity) certificate back to the GoDaddy root CA.
Please refer to this external article.