Ask a Question

Move Trustpoint from CISCO ASA 5520 to a CISCO ASA 5520

Problem

Move trustpoint from CISCO ASA 5520 to a CISCO ASA 5520
Exporting and Importing Trustpoints

Solution

To move a Trustpoint from CISCO ASA 5520 to a CISCO ASA 5520, perform the following steps:

 

You can export and import keypairs and issued certificates associated with a trustpoint configuration. The security appliance supports PKCS12 format for the export and import of trustpoints.


 

This section includes the following topics: 


 

Exporting a Trustpoint Configuration 


 

To export a trustpoint configuration with all associated keys and certificates in PKCS12 format, use the crypto ca export command. The security appliance displays the PKCS12 data in the terminal. You can copy the data. The trustpoint data is password protected; however, if you save the trustpoint data in a file, be sure the file is in a secure location.


 

The following example exports PKCS12 data for trustpoint
Main using Wh0zits as the passphrase:


 

hostname (config)# crypto ca export Main pkcs12 Wh0zits


 

Exported pkcs12 follows:


 

[ PKCS12 data omitted ]


 

---End - This line not part of the pkcs12---


 

hostname (config)#


 

 


 

Importing a Trustpoint Configuration 


 

To import the keypairs and issued certificates associated with a trustpoint configuration, use the crypto ca import pkcs12 command in global configuration mode. The security appliance prompts you to paste the text to the terminal in base-64 format. The key pair imported with the trustpoint is assigned a label matching the name of the trustpoint you


 

create. For example, if an exported trustpoint used an RSA key labeled <Default-RSA-Key>, creating trustpoint named Main by importing the PKCS12 creates a key pair named Main, not <Default-RSA-Key>. 


 

If a security appliance has trustpoints that share the same CA, only one of the trustpoints sharing the CA can be used to validate user certificates. The crypto ca import pkcs12 command can create this situation. Use the support-user-cert-validation command to control which trustpoint sharing a CA is used for validation of user certificates issued by that CA. 


 

The following example manually imports PKCS12 data to the trustpoint Main with the passphrase


 

Wh0zits:


 

hostname (config)# crypto ca import Main pkcs12 Wh0zits


 

Enter the base 64 encoded pkcs12.


 

End with a blank line or the word "quit" on a line by itself:


 

[ PKCS12 data omitted ]


 

quit


 

INFO: Import PKCS12 operation completed successfully


 

hostname (config)#