Validation Error: Insufficient public key size when importing TLS cert

kippdata · ‎02-22-2024

We have a Cisco ESA C195 with AsyncOS 15.0.1-030.
I have obtained a TLS certificate signed by Let's Encrypt. I have put the TLS certificate, its intermediate certificate and its private key in a PKCS#12 container.
When I try to import this PKCS#12 file in our ESA I get an error message: Validation Error : Insufficient public key size
The public key of my TLS certificate is as follows:

      Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:1f:9f:95:52:1f:12:ab:f4:52:72:7b:ba:8a:2d:
                    f7:02:b8:ea:ac:3e:ec:ae:f3:8e:cb:05:a6:51:3c:
                    4a:30:e1:2e:90:df:17:30:e2:c5:b8:7d:46:44:c1:
                    af:af:d8:ed:93:28:28:a3:35:43:57:11:0a:cb:04:
                    1e:5e:24:35:47:49:2a:b6:81:13:5d:0b:ea:ad:53:
                    17:2d:dd:0e:e0:bc:56:b3:45:7e:ff:e5:e1:de:08:
                    e0:a6:0c:43:75:df:88
                ASN1 OID: secp384r1
                NIST CURVE: P-384

As far as I know is a 384 bit EC public key considered as very secure (comparable to a 3072 bit RSA key).
Is there anything I can do to avoid the error "Insufficient public key size"?
The same TLS certificate works very well in an Apache HTTPD, hence I am quite sure that the certificate and the signing by Let's Encrypt are O.K.

Nasreen Al Haddad · ‎02-23-2024

Hello,

After further review , ECDSA certificate should be supported in version 15.0.The Enhancement request appears to be not updated , please have a TAC case opened for further validation of this error message

Kind Regards,

kippdata · ‎02-23-2024

Thank you for your definite answer and for prompting me to the enhancement request.
I would like to express my wish that the enhancement request CSCuz62229 be implemented soon.

Perhaps the wording of the error message "Insufficient public key size" could be clarified as "ECC public keys are not supported" or similar?

In my opinion, two entries in the Release Notes for AsyncOS 15.0.1 (as of November 30, 2023) are misleading with respect to ECDSA and ECC certificates:
On page 9 (near the bottom), the entry about "ECDSA Certificates Support" states that ECDSA certificates can be used for inbound SMTP traffic.
On page 14, the entry "Support for importing ECDSA and EDDSA certificates" states that from this release onwards (that is: from release 15.0.0 onwards) we can import ECDSA certificates.
These two statements seem to be false or at least mistakable. Is it possible to file a bug report against the Release Notes?

kippdata · ‎03-06-2024

Opening a TAC case for this problem was helpful and has revealed the following:
The enhancement request CSCuz62229 has indeed been implemented in AsyncOS 15.0.0, but the implementation is defective.
We can import and use an ECC certificate if the certificate is signed by an ECDSA certificate authority. We cannot import and use an ECC certificate if the certificate is signed by an RSA certificate authority - this leads to the error message "Insufficient public key size".
This kind of "mixed" TLS certificates is very common: If you submit an ECDSA signing request to Let's Encrypt it will usually be signed by the "R3" CA which is an RSA CA. You will only get a TLS certificate signed by the new Let's Encrypt "E1" CA (which is ECDSA) if you explicitly opt-in for conversion of your whole Let's Encrypt account to E1 which may have drawbacks.

The fix for the defective implementation of ECC certificates is targeted in an upcoming release of AsyncOS 15.
Work on this defect can be observed in bug CSCwj25511.