Cisco ASA: replace certificate without private key

When publicly signed certificate installed many years ago on ASA does expire and you request a new one from certificate provider all you get is just the new cert. If you are missing original private key you will need to perform these steps to get a new certificate installed on ASA. The solution is to create new Trustpoint but use old key pair bound to expired cert.

On certificate configuration page select Add Identity Certificate >  Assign new name to Trustpoint > select existing Key Pair > Add certificate.

CLI:

crypto ca trustpoint New_Cert
revocation-check none
keypair AC_VPN_Cert
id-usage ssl-ipsec
no fqdn
subject-name CN=**Your ASA Hostname**
enrollment terminal
crypto ca enroll New_Cert noconfirm

Disregard pop-up and click Cancel.

Next select Trustpoint you just created and click Install.

Browse to new certificate file you received from certificate provider and Install Certificate.

Select Ok when certificate import is successful.

CLI:

crypto ca import New_Cert certificate nointeractive
MIIGtjCCBZ6gA…..
<snip>
AWsoy40wxld…….
quit

Now go to your VPN Connection Profile and update device certificate with the new Trustpoint name.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar