I am attempting to import a root CA certificate into my ASA 5585X from our internal PKI.
The CA Cert uses the following:
Signature algorithm - ECDSA
Signature hash algorithm - sha256
Public key - ECC (384 Bits)
I get the following error when attempting to import the certificate onto the ASA:
% Error in saving certificate: status = FAIL
I have run a debug and get the following messages:
CRYPTO_PKI: can not set ca cert object (0x722)
CRYPTO_PKI: status = 65535: failed to process RA certificate.
I have tried to import the CA using ASA Version 9.1.4 and 9.1.5
Any help or suggestions would be greatly appreciated.
OK, so I have worked with my PKI guys on this and this is what we have found:
The first certificate that was generated used RSASSA-PSS, which was standardized in PKCS#1 v2.1 and is generally recommended to be used as an alternative to the older more widespread RSASSA algorithm in PKCS#1 v1.5.
It would appear that RSASSA-PSS does not work with Cisco ASA devices.
This shows as "specifiedECDSA" in the certificate signature algorithm field, where as when the certificate was re-created using RSASSA-PSS the field showed as "sha256ECDSA" and the certificate loaded onto the ASA with no problems
I am having the same issue with import of a new CA root and intermediate cert. I have read your most recent reply but it seems contradictory.
You state "It would appear that RSASSA-PSS does not work with Cisco ASA devices" then go on to say "the certificate was re-created using RSASSA-PSS.........and the certificate loaded onto the ASA"
My root is 4096 and intermediate is 2048. Both show signature algorithm as RSASSA-PSS rather than anything with ECDSA in the field. See attached. Should these certs work or do I need to re-create in another way?
Thanks in advance.
Sorry for the late reply.
The certificate was resigned using RSASSA algorithm in PKCS#1 v1.5 rather than PKCS#1 v2.1
This was a registry fix on the Windows machine issuing the certificates.
Also, if you are using key lengths 4096 and 2048 you are signing using RSA rather than ECDSA, so I'm not sure if you do have the same issue?