02-22-2024 04:56 AM
We have a Cisco ESA C195 with AsyncOS 15.0.1-030.
I have obtained a TLS certificate signed by Let's Encrypt. I have put the TLS certificate, its intermediate certificate and its private key in a PKCS#12 container.
When I try to import this PKCS#12 file in our ESA I get an error message: Validation Error : Insufficient public key size
The public key of my TLS certificate is as follows:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:1f:9f:95:52:1f:12:ab:f4:52:72:7b:ba:8a:2d:
f7:02:b8:ea:ac:3e:ec:ae:f3:8e:cb:05:a6:51:3c:
4a:30:e1:2e:90:df:17:30:e2:c5:b8:7d:46:44:c1:
af:af:d8:ed:93:28:28:a3:35:43:57:11:0a:cb:04:
1e:5e:24:35:47:49:2a:b6:81:13:5d:0b:ea:ad:53:
17:2d:dd:0e:e0:bc:56:b3:45:7e:ff:e5:e1:de:08:
e0:a6:0c:43:75:df:88
ASN1 OID: secp384r1
NIST CURVE: P-384
As far as I know is a 384 bit EC public key considered as very secure (comparable to a 3072 bit RSA key).
Is there anything I can do to avoid the error "Insufficient public key size"?
The same TLS certificate works very well in an Apache HTTPD, hence I am quite sure that the certificate and the signing by Let's Encrypt are O.K.
02-23-2024 04:30 AM - edited 02-23-2024 02:34 PM
Hello,
After further review , ECDSA certificate should be supported in version 15.0.The Enhancement request appears to be not updated , please have a TAC case opened for further validation of this error message
Kind Regards,
02-23-2024 09:05 AM - edited 02-23-2024 09:07 AM
Thank you for your definite answer and for prompting me to the enhancement request.
I would like to express my wish that the enhancement request CSCuz62229 be implemented soon.
Perhaps the wording of the error message "Insufficient public key size" could be clarified as "ECC public keys are not supported" or similar?
In my opinion, two entries in the Release Notes for AsyncOS 15.0.1 (as of November 30, 2023) are misleading with respect to ECDSA and ECC certificates:
On page 9 (near the bottom), the entry about "ECDSA Certificates Support" states that ECDSA certificates can be used for inbound SMTP traffic.
On page 14, the entry "Support for importing ECDSA and EDDSA certificates" states that from this release onwards (that is: from release 15.0.0 onwards) we can import ECDSA certificates.
These two statements seem to be false or at least mistakable. Is it possible to file a bug report against the Release Notes?
03-06-2024 09:27 AM - edited 03-08-2024 12:03 PM
Opening a TAC case for this problem was helpful and has revealed the following:
The enhancement request CSCuz62229 has indeed been implemented in AsyncOS 15.0.0, but the implementation is defective.
We can import and use an ECC certificate if the certificate is signed by an ECDSA certificate authority. We cannot import and use an ECC certificate if the certificate is signed by an RSA certificate authority - this leads to the error message "Insufficient public key size".
This kind of "mixed" TLS certificates is very common: If you submit an ECDSA signing request to Let's Encrypt it will usually be signed by the "R3" CA which is an RSA CA. You will only get a TLS certificate signed by the new Let's Encrypt "E1" CA (which is ECDSA) if you explicitly opt-in for conversion of your whole Let's Encrypt account to E1 which may have drawbacks.
The fix for the defective implementation of ECC certificates is targeted in an upcoming release of AsyncOS 15.
Work on this defect can be observed in bug CSCwj25511.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide