cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2329
Views
0
Helpful
3
Replies

ACE supports 4096-bit SSL certificates?

Plinio Brandao
Level 1
Level 1

Hi,

I have some questions about the size of the certifcates in ACE module (ACE20). Reading the following link: http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_SSL

I can verify this text: 4096 (high security, level 4) - For software release A2(2.4) and later in the ACE module and software release A3(2.6) and later in the ACE appliance, you can use 4096-bit SSL certificates in chaingroups and authgroups. You can also import public certificates and keys that are 4096 bits in length.

We intend to use a certificate (CA) with keys of 4096 bits and according to the text of wiki, it's possible.

But if I check the guide (http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/certkeys.html), I can't see this information.

Somebody that already use certificates with 4096 bits in ACE20 module?

Thank you in advance.

Plinio

1 Accepted Solution

Accepted Solutions

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Plinio,

The ACE allows a maximum public key size of 4096 bits. The maximum private key size is 2048 bits.  This is from A5(2.1) which is the latest release. In A2(3.) the maximum you can import is 2048 bits. You can configure chain groups CA's of 4096 bits but you cannot use certificate and key pair of more than 2048 bits. That is mentioned in the link you have pasted.

Regards,

Kanwal

View solution in original post

3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Plinio,

The ACE allows a maximum public key size of 4096 bits. The maximum private key size is 2048 bits.  This is from A5(2.1) which is the latest release. In A2(3.) the maximum you can import is 2048 bits. You can configure chain groups CA's of 4096 bits but you cannot use certificate and key pair of more than 2048 bits. That is mentioned in the link you have pasted.

Regards,

Kanwal

Hi Kanwal,

Thank you for your feedback. So, just to confirm, in ACE A2(3.) the following configuration can use certificates of 4096 bits?

crypto chaingroup chaingroup1

   cert CA_cert_intermediate_3.cer

crypto authgroup Auth-Initiation

   cert CA_cert_root.cer

ssl-proxy service WebInitiation

   authgroup Auth-Initiation

And here I just can use certificate and key pair of up to 2048 bits:

ssl-proxy service POSWEBTermination-DES

   key key-des.pem

   cert DES.cer

   chaingroup chaingroup1

   ssl advanced-options POSWEB_MAPSSL

Am' I right?

Thank you again.

Hi Plinio,

Yes  that looks right.

Regards,

Kanwal

Review Cisco Networking for a $25 gift card