Exporting A Trustpoint Configuration - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 39
Configuring Certificates
Exporting a Trustpoint Configuration
To export a trustpoint configuration with all associated keys and certificates in PKCS12 format, use the
crypto ca export command. The security appliance displays the PKCS12 data in the terminal. You can
copy the data. The trustpoint data is password protected; however, if you save the trustpoint data in a file,
be sure the file is in a secure location.
The following example exports PKCS12 data for trustpoint Main using Wh0zits as the passphrase:
hostname (config)# crypto ca export Main pkcs12 Wh0zits
Exported pkcs12 follows:
[ PKCS12 data omitted ]
---End - This line not part of the pkcs12---
hostname (config)#
Importing a Trustpoint Configuration
To import the keypairs and issued certificates associated with a trustpoint configuration, use the crypto
ca import pkcs12 command in global configuration mode. The security appliance prompts you to paste
the text to the terminal in base-64 format.
The key pair imported with the trustpoint is assigned a label matching the name of the trustpoint you
create. For example, if an exported trustpoint used an RSA key labeled <Default-RSA-Key>, creating
trustpoint named Main by importing the PKCS12 creates a key pair named Main, not
<Default-RSA-Key>.
If a security appliance has trustpoints that share the same CA, only one of the trustpoints sharing the CA
Note
can be used to validate user certificates. The crypto ca import pkcs12 command can create this
situation. Use the support-user-cert-validation command to control which trustpoint sharing a CA is
used for validation of user certificates issued by that CA.
The following example manually imports PKCS12 data to the trustpoint Main with the passphrase
Wh0zits:
hostname (config)# crypto ca import Main pkcs12 Wh0zits
Enter the base 64 encoded pkcs12.
End with a blank line or the word "quit" on a line by itself:
[ PKCS12 data omitted ]
quit
INFO: Import PKCS12 operation completed successfully
hostname (config)#
Configuring CA Certificate Map Rules
You can configure rules based on the Issuer and Subject fields of a certificate. Using the rules you create,
you can map IPSec peer certificates to tunnel groups with the tunnel-group-map command. The
security appliance supports one CA certificate map, which can contain many rules. For more information
about using CA certificate map rules with tunnel groups, see the
Rule and Policy" section on page
OL-10088-01
27-10.
Cisco Security Appliance Command Line Configuration Guide
Certificate Configuration
"Creating a Certificate Group Matching
39-15
Advertisement
Table of Contents
Troubleshooting
