Cisco IOS root ca fingerprint

euanellis — Thu, 06 Aug 2020 11:21:25 GMT

Hi everyone,

We are deploying a IOS Cisco root CA and the root ca certificate is persistently being generated with an MD5 and SHA1 fingerprint. We have been able to configure the PKI sign identity certificates with SHA256 etc but failed with the root ca.

How do you change the fingerprint on the Root CA to be more secure; ie. SHA256 or SHA512?

Redacted config extract shown below:

crypto pki server ROOTCA

database level complete

database archive pkcs12 password

issuer-name CN=RootCA,ou=pki, o=hash

grant auto trustpoint ROOTCA

hash sha512

lifetime certificate 180

lifetime ca-certificate 730

auto-rollover 90

crypto pki trustpoint ROOTCA

revocation-check crl

rsakeypair ROOTCA

regenerate

hash sha256

CA Certificate

Status: Available

Version: 3

Certificate Serial Number (hex): 02

Certificate Usage: Signature

Issuer:

cn=RootCA

ou=pki

o=hash

Subject:

cn=RootCA

ou=pki

o=hash

Validity Date:

start date: 10:54:39 UTC Aug 6 2020

end date: 10:54:39 UTC Aug 6 2022

Subject Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (4096 bit)

Signature Algorithm: SHA512 with RSA Encryption

Fingerprint MD5: ***some hash***

Fingerprint SHA1: *** some hash***

topic Cisco IOS root ca fingerprint in Network Security

Cisco IOS root ca fingerprint