I thought it worth adding this followup after experiencing a meltdown with a pix 501-ul that just wasn’t cooperating. So if you were familiar with my previous not about pix and asa, it seems that on the older 6.3 version you need to use a slightly different set of commands in order to achieve the same end. The main reason for trying this is to see if I can solve a problem where everytime the pix reboots it generates a new set of keys, which is thoroughly annoying. I hope to eliminate that be manually generating my own and well this is how I did it.
Of course all that remains is to reboot and see if it worked. If I see this type of message apear when I attempt to ssh in then it’s back to square one.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA1 host key has just been changed.
The fingerprint for the RSA1 key sent by the remote host is
1b:c3:22:5d:3a:d7:4b:3a:bd:25:00:da:96:4a:29:03.
Please contact your system administrator.
Add correct host key in /Users/mikel/.ssh/known_hosts to get rid of this message.
Offending key in /Users/mikel/.ssh/known_hosts:214
RSA1 host key for pixfirewall.SOMEWHERE.com has changed and you have requested strict checking.
Host key verification failed.
#===============================#
Below you will find the commands needed to blank and update the key.
Usage: ca generate rsa key|specialkey <key_modulus_size>
[no] ca identity <ca_nickname> [<ca_ipaddress | hostname>
[:<ca_script_location>] [<ldap_ipaddress | hostname>]]
[show] ca configure <ca_nickname> [ca|ra <retry_period> <retry_count>
[crloptional]]
ca authenticate <ca_nickname> [<fingerprint>]
[no] ca enroll <ca_nickname> <challenge_password> [serial] [ipaddress]
[no] ca save all
show ca certificate
show ca mypubkey rsa
ca zeroize rsa
[no | show] ca crl [request <ca_nickname>]
[no | show] ca subject-name <ca_nickname> [<X.500 string>]
[no | show] ca verifycertdn [<X.500 string>]
pixfirewall> show ca mypubkey rsa
% Key pair was generated at: 08:02:29 UTC Oct 9 2008
Key name: pixfirewall.SOMEWHERE.com
Usage: General Purpose Key
Key Data:
307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00eb1f38 dc42f3e5
759a3f04 362d556d 15fc9afd dd425986 b2a89588 1352dae8 b07bbf77 e1080de4
1b839ef9 8b473560 b129bd76 f1a4bbcb 7a56da75 0bbe6967 56bc5adf e4e8e65c
1306043e 489c5577 120bae52 d8589a91 7df883c5 18342523 17020301 0001
% Key pair was generated at: 08:03:35 UTC Oct 9 2008
Key name: pixfirewall.SOMEWHERE.com.server
Usage: Encryption Key
Key Data:
306c300d 06092a86 4886f70d 01010105 00035b00 30580251 00d5cbb6 d293990d
e33ac37d 9f407b2a 37e2864c e4589230 55535a81 7f9a1ceb 7e0db383 0fa7cbfe
65a2e3ec 77d1d6c5 6a91ed8c 63bf3711 7fc3d3c6 41d1d52a 06f6718e 443aa8fa
f71ef037 34199c1d 55020301 0001
pixfirewall> config terminal
Usage: ca generate rsa key|specialkey <key_modulus_size>
[no] ca identity <ca_nickname> [<ca_ipaddress | hostname>
[:<ca_script_location>] [<ldap_ipaddress | hostname>]]
[show] ca configure <ca_nickname> [ca|ra <retry_period> <retry_count>
[crloptional]]
ca authenticate <ca_nickname> [<fingerprint>]
[no] ca enroll <ca_nickname> <challenge_password> [serial] [ipaddress]
[no] ca save all
show ca certificate
show ca mypubkey rsa
ca zeroize rsa
[no | show] ca crl [request <ca_nickname>]
[no | show] ca subject-name <ca_nickname> [<X.500 string>]
[no | show] ca verifycertdn [<X.500 string>]
pixfirewall(config)# ca zeroize rsa
pixfirewall(config)# ca generate rsa key 1024
Leave a Reply