https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456232#M238642 <P>See the <A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/release/notes/asarn90.html">release notes for ASA 9.0(x)</A>. As of 9.0(1) the ASA software introduced (among other things) support for "<SPAN style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 11px; line-height: normal;">RSA certificates with 4096 bit keys for DTLS and IKEv2</SPAN>"&nbsp;</P> Thu, 08 May 2014 14:04:27 GMT Marvin Rhoads 2014-05-08T14:04:27Z https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456231#M238641 <P>Hi, all!</P><P>&nbsp;</P><P>I have Cisco ASA 5510 with 8.4(3)8 software onboar.</P><P>&nbsp;</P><P>Now i have an issue with Third Party wildcard certificate, which i whant to use in SSL-VPN. Issue is that it doesn't import. Doesn't import without any <SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps">intelligible messages. I'm use pks12.</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="short_text" lang="en"><SPAN class="hps">In other side i've tried import the same cert</SPAN></SPAN>ificate&nbsp; in ASA 5545X with&nbsp; 9.1(2) software and it imported fine.</P><P>&nbsp;</P><P>The previous wildcard certificate was working fine.</P><P>&nbsp;</P><P>Differents in this certificates that i found is RSA key lenth. In previous it was 2048, in current - 4096. It's look like my platform (5510) or my software (8.4(3)) doesn't support RSA 4096. But i cant found some official document about this.</P><P>&nbsp;</P><P>Does <SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps">anyone else</SPAN> <SPAN class="hps">encountered this kind of problem</SPAN></SPAN>? Ot mayby someone reading about there?</P><P>&nbsp;</P><P>Thanks</P> Tue, 12 Mar 2019 04:10:26 GMT https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456231#M238641 Luxoft Professional 2019-03-12T04:10:26Z https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456232#M238642 <P>See the <A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/release/notes/asarn90.html">release notes for ASA 9.0(x)</A>. As of 9.0(1) the ASA software introduced (among other things) support for "<SPAN style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 11px; line-height: normal;">RSA certificates with 4096 bit keys for DTLS and IKEv2</SPAN>"&nbsp;</P> Thu, 08 May 2014 14:04:27 GMT https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456232#M238642 Marvin Rhoads 2014-05-08T14:04:27Z https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456233#M238643 <P>Still no support for certs with key size 4096 for SSL certificates though....&nbsp; just tried ( 9.2.1 ).</P><P>It imports to be used for other purposes, but when adding the trustpoint to the interface :</P><P>"RSA 4096 keys are not supported for ssl"</P><P>Bummer..</P><P>&nbsp;</P><P><BR />&nbsp;</P> Tue, 02 Sep 2014 09:00:31 GMT https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456233#M238643 Daniel Sandstrom 2014-09-02T09:00:31Z https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456234#M238644 <P>Not a bummer. Wholly and utterly unacceptable.&nbsp;<BR />"Hey, I know, let's arbitrarily limit the strength of the encryption on our so-called security appliances!"</P><P>Presently very displeased. I now either have to re-issue or re-purchase my wildcard cert and then re-re-install it everywhere (no thanks), or purchase an additional weaker cert specifically for my FWs. &nbsp;Thanks Cisco!</P> Mon, 08 Dec 2014 19:18:46 GMT https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456234#M238644 blake 2014-12-08T19:18:46Z https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456235#M238645 <P>And still no support for this.&nbsp;</P><P>Beyond flabbergasted why they wouldn't have this feature.&nbsp;</P><P>&nbsp;</P><P>I too have a 4096 RSA wildcard certificate and cannot use it on my ASA's.&nbsp;</P><P>&nbsp;</P><P>They are my VPN servers.&nbsp;</P> Thu, 18 Dec 2014 02:20:16 GMT https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456235#M238645 AIS-ITADMIN 2014-12-18T02:20:16Z https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456236#M238646 <P>Ok, so I have 3 ASAs (2x 5515X and one 5505)</P><P>The 5515X are running 9.4.1(3) (ASDM 7.4(3)), the 5505 is running 9.2(3).3 (ASDM 7.4(2))</P><P>&nbsp;</P><P>I didn't see this issue on my 5515X systems, but my 5505 did throw the error about not supporting RSA 4096 for SSL.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Aug 2015 15:46:04 GMT https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456236#M238646 dirkmelvin 2015-08-06T15:46:04Z https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456237#M238647 <P>I actually found the Cisco document that details the platforms that support 4096 encryption. In case the link gets broken, this was the statement as of July 25, 2016.</P> <P>----------------------------------------------------------------------------------------------------------------------------------</P> <H3>CSR Generation</H3> <P>This is the first step in the lifecycle of any X.509 digital certificate. Once the private/public Rivest-Shamir-Adleman (RSA) or&nbsp;Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated (<A href="http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc30" target="_self" rel="nofollow noopener noreferrer">Appendix A</A> details the difference between the use of&nbsp;RSA or ECDSA), a Certficate Signing Request (CSR) is created. A CSR is basically a PKCS10 formatted message that contains&nbsp;the public key and identity information of the requesting host. <A href="http://www.cisco.com/c/en/us/support/docs/security/vpn-client/116039-pki-data-formats-00.html" target="_blank" rel="nofollow noopener noreferrer">PKI Data Formats</A>explains the different certificate formats applicable to the ASA and Cisco IOS<SUP>®</SUP>.</P> <P><STRONG>Notes</STRONG>:<BR />1. Check with the CA on the required keypair size. The CA/Browser Forum has mandated&nbsp;that all certificates&nbsp;generated by their member CAs have a&nbsp; minimum size of 2048 bits. <BR />2. ASA currently does not support 4096 bit keys (Cisco bug ID&nbsp;<A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut53512" target="_blank" rel="nofollow noopener noreferrer">CSCut53512</A>) for SSL server authentication. However, IKEv2 does support the use of 4096 bit server certificates on the ASA 5580, 5585, and 5500-X platforms alone. <BR />3. Use the DNS Name of the ASA in the FQDN field of the CSR in order to prevent Untrusted Certificate warnings and pass Strict Certificate check.</P> <P>----------------------------------------------------------------------------------------------------------------------------------</P> <P><A href="http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc5">ASA 4096 RSA key</A></P> <P></P> <P>I know this is an old thread, but I searched for an hour after I found this post. Would have been nice to have it here.</P> Tue, 23 Aug 2016 23:44:36 GMT https://community.cisco.com/t5/network-security/cisco-asa-platform-version-rsa-4096-support/m-p/2456237#M238647 wchilds01 2016-08-23T23:44:36Z