Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6692
Views
5
Helpful
7
Replies

Cisco ASA CA Certificate import error using ECDSA and SHA-256

rhyshobden
Level 1
Level 1

‎10-28-2014 09:51 AM - edited ‎03-11-2019 10:00 PM

Hello,

 

I am attempting to import a root CA certificate into my ASA 5585X from our internal PKI.

The CA Cert uses the following:

Signature algorithm - ECDSA

Signature hash algorithm - sha256

Public key - ECC (384 Bits)

 

I get the following error when attempting to import the certificate onto the ASA:

% Error in saving certificate: status = FAIL

 

I have run a debug and get the following messages:

CRYPTO_PKI: can not set ca cert object (0x722)

CRYPTO_PKI: status = 65535: failed to process RA certificate.

 

I have tried to import the CA using ASA Version 9.1.4 and 9.1.5

 

Any help or suggestions would be greatly appreciated.

Thanks,

Rhys.

 

 

Labels:
0 Helpful
7 Replies 7

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-28-2014 06:09 PM

Hi,

What is the expiration date on this certificate ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

rhyshobden
Level 1
Level 1
In response to Vibhor Amrodia

‎10-29-2014 02:46 AM

Hi,
Certificate details are as follows:

0 Helpful

Atri Basu
Cisco Employee
Cisco Employee
In response to rhyshobden

‎11-23-2015 07:21 PM

This is a known issue. Enhancement request CSCup44159 has been filed to add support for RSASSA-PSS on the ASA.

0 Helpful

rhyshobden
Level 1
Level 1

‎10-31-2014 01:36 AM

OK, so I have worked with my PKI guys on this and this is what we have found:

The first certificate that was generated used RSASSA-PSS, which was standardized in PKCS#1 v2.1 and is generally recommended to be used as an alternative to the older more widespread RSASSA algorithm in PKCS#1 v1.5.

It would appear that RSASSA-PSS does not work with Cisco ASA devices.

This shows as "specifiedECDSA" in the certificate signature algorithm field, where as when the certificate was re-created using RSASSA-PSS the field showed as "sha256ECDSA" and the certificate loaded onto the ASA with no problems

Thanks,
Rhys.

wesdouglas
Level 1
Level 1
In response to rhyshobden

‎11-04-2014 08:00 AM

Ryhs,

I am having the same issue with import of a new CA root and intermediate cert. I have read your most recent reply but it seems contradictory.

 

You state "It would appear that RSASSA-PSS does not work with Cisco ASA devices" then go on to say "the certificate was re-created using RSASSA-PSS.........and the certificate loaded onto the ASA"

My root is 4096 and intermediate is 2048. Both show signature algorithm as RSASSA-PSS rather than anything with ECDSA in the field. See attached. Should these certs work or do I need to re-create in another way?

 

Thanks in advance.

Wes

 

 

Preview file
13 KB
0 Helpful

rhyshobden
Level 1
Level 1
In response to wesdouglas

‎02-04-2015 02:43 AM

Hello,

Sorry for the late reply.

The certificate was resigned using RSASSA algorithm in PKCS#1 v1.5 rather than PKCS#1 v2.1

This was a registry fix on the Windows machine issuing the certificates.

 

Also, if you are using key lengths 4096 and 2048 you are signing using RSA rather than ECDSA, so I'm not sure if you do have the same issue?

 

Regards,

Rhys

0 Helpful

Atri Basu
Cisco Employee
Cisco Employee

‎11-23-2015 07:22 PM

This is a known issue. Enhancement request CSCup44159 has been filed to add support for RSASSA-PSS on the ASA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card