Sometimes you need to squirrel away those keys. You can do it by getting a certificate that uses the keys, then exporting a certificate bundle (with private key included). Here's how.
First, create a key:
crypto key generate rsa label mykey modulus 2048
Next, create a trustpoint which references the key, and generate a self-signed certificate:
crypto ca trustpoint throwaway keypair mykey enrollment self crypto ca enroll throwaway noconfirm
Now the throwaway trustpoint has a certificate. Export that certificate to the terminal.
no terminal pager crypto ca export throwaway pkcs12 <passphrase>
Save the blob of text including the begin/end lines. The blob is a PKCS12 bundle encrypted using the passphrase above and then base64 encoded. Be sure to save the encryption passphrase.
-----BEGIN PKCS12----- MIIJZwIBAzCCCSEGCSqGSIb3DQEHAaCCCRIEggkOMIIJCjCCCQYGCSqGSIb3DQEH BqCCCPcwggjzAgEAMIII7AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQI4KTD ...etc... ru1WrVnO7wFa+83BK8D+aQ7UedzQuU6NOiDrjPR0w8uWSLwKmmSVgnZN4BEwPTAh MAkGBSsOAwIaBQAEFGA2bfp4y+a/R29RZ9TA8sCUSZ+jBBRvppgVbM8rBbW62096 L/HnJErexgICBAA= -----END PKCS12-----
We no longer need the certificate or the throwaway trustpoint in which it's stored. Kill it. The private key will survive.
no crypto ca trustpoint throwaway noconfirm
The easiest way to get the key onto an ASA is to import the PKCS12 blob using the passphrase. Importing the certificate will create 3 things on the ASA:
- The RSA keypair
- The certificate
- A trustpoint to hold the certificate
The keypair will be named the same as the trustpoint. To make the keypair named 'my-imported-key', import it like this, pasting in the text blob when prompted, then typing 'quit'.
crypto ca import my-imported-key pkcs12 <passphrase>
Now the key is available for use, but there's a useless certificate and trustpoint as well. Kill those off just like before. The key will survive.
no crypto ca trustpoint my-imported-key noconfirm
Another option is to extract the key from the PKCS12 bundle using openssl on some other device. First, save the text blob without the BEGIN/END lines to a file. I'd probably call it throwaway.p12.base64. Then, it needs to be base64-decoded, and parsed from a pkcs12 certificate bundle into a pem-formated private key. The private key output contains both the private and public keys.
base64 -D throwaway.p12.base64 | openssl pkcs12 -nocerts -nodes -password pass:<passphrase> MAC verified OK Bag Attributes localKeyID: 00 00 00 01 friendlyName: cn=lab-asa-1,hostname=lab-asa-1.fragmentationneeded.net Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDUp4/EVH/uaScJ 3LuC71Zps8Q/n6JNFP5cehhDm8MYFq1Ms/VGHcHaO0Mt4F0BFQ6nyFjeuiaubeSp ...etc... 3r4cQPYplDbSdNVBYy9BpzsQVoxIn9dcz10fRl1V2xabTvXZ+kDc4KOucVRH+WGV YsYGwIXyJgsTvhKSDojxMyHQF201x8QO4+oSLndAY+Zj3wRz9S1N1btc929cyfjG NMJuImRF/uSH2IfFpEl8bAY= -----END PRIVATE KEY-----
The example above was run on MacOS, where the base64 binary has BSD heritage. On Linux, use -d rather than -D with the GNU flavor of base64.