When publicly signed certificate installed many years ago on ASA does expire and you request a new one from certificate provider all you get is just the new cert. If you are missing original private key you will need to perform these steps to get a new certificate installed on ASA. The solution is to create new Trustpoint but use old key pair bound to expired cert.
On certificate configuration page select Add Identity Certificate > Assign new name to Trustpoint > select existing Key Pair > Add certificate.
CLI:
crypto ca trustpoint New_Cert
revocation-check none
keypair AC_VPN_Cert
id-usage ssl-ipsec
no fqdn
subject-name CN=**Your ASA Hostname**
enrollment terminal
crypto ca enroll New_Cert noconfirm
Disregard pop-up and click Cancel.
Next select Trustpoint you just created and click Install.
Browse to new certificate file you received from certificate provider and Install Certificate.
Select Ok when certificate import is successful.
CLI:
crypto ca import New_Cert certificate nointeractive
MIIGtjCCBZ6gA…..
<snip>
AWsoy40wxld…….
quit
Now go to your VPN Connection Profile and update device certificate with the new Trustpoint name.
3 comments On Cisco ASA: replace certificate without private key
Many thanks for the tip!
Nice . thanks much. ! I had deleted the Trustpoint in the past and submitted new CSR.
This save me !!
Awesome thanks waisted lot of time looking for the Key but then reached this article and it still works fine in 2022 with ASA 5525 with version 9