Ask a Question

Advanced Search

Solution ID : SO8014

Last Modified : 05/02/2018

Move Trustpoint from CISCO ASA 5520 to a CISCO ASA 5520


Exporting and Importing Trustpoints
CISCO ASA 5520 using WebVPN 7.x


You can export and import keypairs and issued certificates associated with a trustpoint configuration. The security appliance supports PKCS12 format for the export and import of trustpoints.

This section includes the following topics:


Exporting a Trustpoint Configuration


To export a trustpoint configuration with all associated keys and certificates in PKCS12 format, use the crypto ca export command. The security appliance displays the PKCS12 data in the terminal. You can copy the data. The trustpoint data is password protected; however, if you save the trustpoint data in a file, be sure the file is in a secure location.


The following example exports PKCS12 data for trustpoint Main using Wh0zits as the passphrase:


hostname (config) # crypto ca export Main pkcs12 Wh0zits

Exported pkcs12 follows:

[ PKCS12 data omitted ]

---End - This line not part of the pkcs12---

hostname (config)#


Importing a Trustpoint Configuration


To import the keypairs and issued certificates associated with a trustpoint configuration, use the crypto ca import pkcs12 command in global configuration mode. The security appliance prompts you to paste the text to the terminal in base-64 format. The key pair imported with the trustpoint is assigned a label matching the name of the trustpoint you create. For example, if an exported trustpoint used an RSA key labeled <Default-RSA-Key>, creating trustpoint named Main by importing the PKCS12 creates a key pair named Main, not <Default-RSA-Key>.


If a security appliance has trustpoints that share the same CA, only one of the trustpoints sharing the CA can be used to validate user certificates. The crypto ca import pkcs12 command can create this situation. Use the support-user-cert-validation command to control which trustpoint sharing a CA is used for validation of user certificates issued by that CA.


The following example manually imports PKCS12 data to the trustpoint Main with the passphrase Wh0zits:


hostname (config) # crypto ca import Main pkcs12 Wh0zits

Enter the base 64 encoded pkcs12.

End with a blank line or the word "quit" on a line by itself:

[ PKCS12 data omitted ]


INFO: Import PKCS12 operation completed successfully

hostname (config) #