topic Thanks again Karsten! Your in Network Security

ASA 5515 - SSL certificate - transition from SHA1 to SHA2

rcampb3ll — Tue, 12 Mar 2019 05:14:43 GMT

We have an ASA 5515 running ver 9.1(2). (Actually 2 of them in an HA Active/Passive cluster)

The ssl cert installed on our ASA that we currently use for SSL VPN is SHA1. This cert is due to expire soon, so we are looking to renew it before it expires. We would want the new cert to be SHA2.

I've looked over this cisco technote for SSL cert renewal information:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html

It doesn't specifically address if transitioning from a SHA1 cert to an SHA2 cert. Am I safe to follow the steps in this doc, considering that we will be requesting an SHA2 SSL cert? Any caveats that I need to be aware of?

Many thanks in advance.

It all depends on the CA you

Karsten Iwen — Thu, 18 Dec 2014 20:59:34 GMT

It all depends on the CA you use. Two examples:

Entrust
You can generate your CSR on the ASA, and in the Entrust web-portal you choose that you want your cert to be signed with SHA2.
StartSSL
If you generate your CSR on the ASA it will be signed with SHA-1. You will get a SHA-1 signed certificate back.
If you generate a CSR with openSSL (or any tool that is capable of that) and sign your request with SHA2, the certificate will also be signed with SHA2

Thanks for the response

rcampb3ll — Thu, 18 Dec 2014 21:16:42 GMT

Thanks for the response Karsten!

When I am generating the CSR from my ASA, because I will be choosing a SHA2 cert (from the Entrust portal actually), do I use my existing key pair, or do I need to create a new key pair?

You can keep your old key.

Karsten Iwen — Thu, 18 Dec 2014 21:40:29 GMT

You can keep your old key. But if it's only a 2048 bit key (or even less), this is the time to increase the bitsize for some added security. I typically use 3072 Bit keys. Probably the keys that I will renew next year will all be 4096 bit.

One more question for you

rcampb3ll — Thu, 18 Dec 2014 22:54:54 GMT

One more question for you.

Considering that our intended use of this new SSL cert will be for SSL VPN, what are the potential negative ramifications of chosing the 4096 bit over the 2048 bit? From the remote user perspective, would any slowdown occur only during initial setup of the VPN session, or would it be throughout the entire VPN session?

(ok...so it was actually 2 questions.)

The sessio-setup will be

Karsten Iwen — Fri, 19 Dec 2014 07:17:24 GMT

The sessio-setup will be slightly slower. The session-data is protected with symetric crypto like AES256/SHA1 (or AES-GCM in the future), they don't need the public key crypto any more.

Thanks again Karsten! Your

rcampb3ll — Fri, 19 Dec 2014 15:41:33 GMT

Thanks again Karsten! Your help and advice is much appreciated!

Cheers.

Hi All,I have this problem

irvan.tambunan — Tue, 09 Jun 2015 02:58:28 GMT

Hi All,

I have this problem too. My IOS version is 9.2.2(4) and using 5585-X. Is there any solution for generating CSR enabled SHA2? Or we have to upgrade first to 9.3 or newer to support SHA2.

For you info, i will buy certificate from Cybertrust, not Entrust.

Kindly waiting for your reply.

Thanks.