Cisco ASA – Checklist for Replacing Failed ASA Hardware

I have a failing Cisco ASA that is being replaced under a support contract. It is a single-point-of-failure in production at a branch office that can tolerate downtime. I will physically replace the device at that site myself. Prior to the hardware failure the configuration was just fine. My goal is to get back to the working state prior to the hardware failure.

While I have worked a fair amount with ASAs I have never had to perform a hardware replacement so this is new territory for me. What I am looking for is a checklist, runbook, or procedure to serve the following purpose:

• help to ensure I don't miss some critical configuration step
• help to avoid some critical configuration error
• aid in advance preparation to reduce the downtime while the hardware swap takes place
• provide some advance insight into how long this is likely to take

Off the top of my head the following things that I ought to consider come to mind:

• document cable connections
• export the current running-config
• document the old ASA's firmware version
• change the new ASA's firmware to the same version as the old one
• Do admin passwords need to be set separately from the config?
• Where are VPN user passwords stored?
• What about certificates?

Things start to get pretty vague near the bottom of that list. I also feel like I might be missing some important items entirely.

What are all the things that need to be done when replacing failed Cisco ASA hardware?