Friday, April 3, 2015

Exporting RSA keys from Cisco ASA: Harder than it should be

Unlike Cisco IOS routers, which by default don't allow RSA private keys to be exported from NVRAM, Cisco ASAs don't protect private keys. But there's no command (of which I'm aware) to directly export the keys either.

Sometimes you need to squirrel away those keys. You can do it by getting a certificate that uses the keys, then exporting a certificate bundle (with private key included). Here's how.

First, create a key:
 crypto key generate rsa label mykey modulus 2048

Next, create a trustpoint which references the key, and generate a self-signed certificate:
 crypto ca trustpoint throwaway  
  keypair mykey  
  enrollment self  
 crypto ca enroll throwaway noconfirm

Now the throwaway trustpoint has a certificate. Export that certificate to the terminal.
 no terminal pager  
 crypto ca export throwaway pkcs12 <passphrase>

Save the blob of text including the begin/end lines. The blob is a PKCS12 bundle encrypted using the passphrase above and then base64 encoded. Be sure to save the encryption passphrase.
 -----BEGIN PKCS12-----  
 MIIJZwIBAzCCCSEGCSqGSIb3DQEHAaCCCRIEggkOMIIJCjCCCQYGCSqGSIb3DQEH  
 BqCCCPcwggjzAgEAMIII7AYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQI4KTD  
 ...etc...  
 ru1WrVnO7wFa+83BK8D+aQ7UedzQuU6NOiDrjPR0w8uWSLwKmmSVgnZN4BEwPTAh  
 MAkGBSsOAwIaBQAEFGA2bfp4y+a/R29RZ9TA8sCUSZ+jBBRvppgVbM8rBbW62096  
 L/HnJErexgICBAA=  
 -----END PKCS12-----

We no longer need the certificate or the throwaway trustpoint in which it's stored. Kill it. The private key will survive.
 no crypto ca trustpoint throwaway noconfirm

The easiest way to get the key onto an ASA is to import the PKCS12 blob using the passphrase. Importing the certificate will create 3 things on the ASA:
  • The RSA keypair
  • The certificate
  • A trustpoint to hold the certificate
The keypair will be named the same as the trustpoint. To make the keypair named 'my-imported-key', import it like this, pasting in the text blob when prompted, then typing 'quit'.
 crypto ca import my-imported-key pkcs12 <passphrase>

Now the key is available for use, but there's a useless certificate and trustpoint as well. Kill those off just like before. The key will survive.
 no crypto ca trustpoint my-imported-key noconfirm

Another option is to extract the key from the PKCS12 bundle using openssl on some other device. First, save the text blob without the BEGIN/END lines to a file. I'd probably call it throwaway.p12.base64. Then, it needs to be base64-decoded, and parsed from a pkcs12 certificate bundle into a pem-formated private key. The private key output contains both the private and public keys.
 base64 -D throwaway.p12.base64 | openssl pkcs12 -nocerts -nodes -password pass:<passphrase>   
 MAC verified OK  
 Bag Attributes  
   localKeyID: 00 00 00 01   
   friendlyName: cn=lab-asa-1,hostname=lab-asa-1.fragmentationneeded.net  
 Key Attributes: <No Attributes>  
 -----BEGIN PRIVATE KEY-----  
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDUp4/EVH/uaScJ  
 3LuC71Zps8Q/n6JNFP5cehhDm8MYFq1Ms/VGHcHaO0Mt4F0BFQ6nyFjeuiaubeSp  
 ...etc...  
 3r4cQPYplDbSdNVBYy9BpzsQVoxIn9dcz10fRl1V2xabTvXZ+kDc4KOucVRH+WGV  
 YsYGwIXyJgsTvhKSDojxMyHQF201x8QO4+oSLndAY+Zj3wRz9S1N1btc929cyfjG  
 NMJuImRF/uSH2IfFpEl8bAY=  
 -----END PRIVATE KEY-----

The example above was run on MacOS, where the base64 binary has BSD heritage.  On Linux, use -d rather than -D with the GNU flavor of base64.
Posted by chris marget at 6:03 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)