Chapter 12
Configuring Certificates
virtual http atl-lx-sbacchus.cisco.com
Exporting and Importing Keypairs and Certificates
You can export and import keypairs and issued certificates associated with a trustpoint configuration.
The FWSM supports the PKCS12 format for exporting and importing trustpoints.
This section includes the following topics:
•
•
Exporting a Keypair and Certificate
To export keypairs and certificates associated with a trustpoint configuration in PKCS12 format, enter
the following command:
hostname (config)# crypto ca export pkcs12
You can copy the data. The trustpoint data is password protected; however, if you save the trustpoint data
in a file, be sure that the file is in a secure location.
For example, to manually export PKCS12 data for a trustpoint called newton using cisco123 as the
passphrase, enter the following command:
hostname (config)# crypto ca export newton pkcs12 cisco123
Exported pkcs12 follows:
[ PKCS12 data omitted ]
---End - This line not part of the pkcs12---
Importing a Keypair and Certificate
To import keypairs and issued certificates associated with a trustpoint configuration in PKCS12 format,
perform the following steps:
Enter the following command:
Step 1
hostname (config)# crypto ca import pkcs12
The key pair imported with the trustpoint configuration is assigned a label that matches the name of the
trustpoint that you create. For example, if an exported trustpoint used an RSA key labeled
Default-RSA-Key, creating a trustpoint called Main by importing the PKCS12 format creates a key pair
called Main.
Note
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Exporting a Keypair and Certificate, page 12-7
Importing a Keypair and Certificate, page 12-7
If an FWSM has trustpoints that share the same CA, only one of the trustpoints sharing the CA
can be used to validate user certificates. Entering the crypto ca import pkcs12 command can
create this condition. To control which trustpoint sharing a CA is used for validation of user
certificates issued by that CA, enter the support-user-cert-validation command.
Certificate Configuration
12-7