topic Ryhs,I am having the same in Network Security

Cisco ASA CA Certificate import error using ECDSA and SHA-256

rhyshobden — Tue, 12 Mar 2019 05:00:00 GMT

Hello,

I am attempting to import a root CA certificate into my ASA 5585X from our internal PKI.

The CA Cert uses the following:

Signature algorithm - ECDSA

Signature hash algorithm - sha256

Public key - ECC (384 Bits)

I get the following error when attempting to import the certificate onto the ASA:

% Error in saving certificate: status = FAIL

I have run a debug and get the following messages:

CRYPTO_PKI: can not set ca cert object (0x722)

CRYPTO_PKI: status = 65535: failed to process RA certificate.

I have tried to import the CA using ASA Version 9.1.4 and 9.1.5

Any help or suggestions would be greatly appreciated.

Thanks,

Rhys.

Hi,What is the expiration

Vibhor Amrodia — Wed, 29 Oct 2014 01:09:39 GMT

Hi,

What is the expiration date on this certificate ?

Thanks and Regards,

Vibhor Amrodia

Hi,Certificate details are as

rhyshobden — Wed, 29 Oct 2014 09:46:57 GMT

Hi,
Certificate details are as follows:

OK, so I have worked with my

rhyshobden — Fri, 31 Oct 2014 08:36:07 GMT

OK, so I have worked with my PKI guys on this and this is what we have found:

The first certificate that was generated used RSASSA-PSS, which was standardized in PKCS#1 v2.1 and is generally recommended to be used as an alternative to the older more widespread RSASSA algorithm in PKCS#1 v1.5.

It would appear that RSASSA-PSS does not work with Cisco ASA devices.

This shows as "specifiedECDSA" in the certificate signature algorithm field, where as when the certificate was re-created using RSASSA-PSS the field showed as "sha256ECDSA" and the certificate loaded onto the ASA with no problems

Thanks,
Rhys.

Ryhs,I am having the same

wesdouglas — Tue, 04 Nov 2014 16:00:11 GMT

Ryhs,

I am having the same issue with import of a new CA root and intermediate cert. I have read your most recent reply but it seems contradictory.

You state "It would appear that RSASSA-PSS does not work with Cisco ASA devices" then go on to say "the certificate was re-created using RSASSA-PSS.........and the certificate loaded onto the ASA"

My root is 4096 and intermediate is 2048. Both show signature algorithm as RSASSA-PSS rather than anything with ECDSA in the field. See attached. Should these certs work or do I need to re-create in another way?

Thanks in advance.

Wes

Hello,Sorry for the late

rhyshobden — Wed, 04 Feb 2015 10:43:05 GMT

Hello,

Sorry for the late reply.

The certificate was resigned using RSASSA algorithm in PKCS#1 v1.5 rather than PKCS#1 v2.1

This was a registry fix on the Windows machine issuing the certificates.

Also, if you are using key lengths 4096 and 2048 you are signing using RSA rather than ECDSA, so I'm not sure if you do have the same issue?

Regards,

Rhys

This is a known issue.

Atri Basu — Tue, 24 Nov 2015 03:21:32 GMT

This is a known issue. Enhancement request CSCup44159 has been filed to add support for RSASSA-PSS on the ASA.

This is a known issue.

Atri Basu — Tue, 24 Nov 2015 03:22:37 GMT

This is a known issue. Enhancement request CSCup44159 has been filed to add support for RSASSA-PSS on the ASA.