cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3118
Views
5
Helpful
7
Replies
Beginner

Cisco ASA CA Certificate import error using ECDSA and SHA-256

Hello,

 

I am attempting to import a root CA certificate into my ASA 5585X from our internal PKI.

The CA Cert uses the following:

Signature algorithm - ECDSA

Signature hash algorithm - sha256

Public key - ECC (384 Bits)

 

I get the following error when attempting to import the certificate onto the ASA:

% Error in saving certificate: status = FAIL

 

I have run a debug and get the following messages:

CRYPTO_PKI: can not set ca cert object (0x722)

CRYPTO_PKI: status = 65535: failed to process RA certificate.

 

I have tried to import the CA using ASA Version 9.1.4 and 9.1.5

 

Any help or suggestions would be greatly appreciated.

Thanks,

Rhys.

 

 

7 REPLIES 7
Cisco Employee

Hi,What is the expiration

Hi,

What is the expiration date on this certificate ?

Thanks and Regards,

Vibhor Amrodia

Beginner

Hi,Certificate details are as

Hi,
Certificate details are as follows:

Cisco Employee

This is a known issue.

This is a known issue. Enhancement request CSCup44159 has been filed to add support for RSASSA-PSS on the ASA.

Beginner

OK, so I have worked with my

OK, so I have worked with my PKI guys on this and this is what we have found:

The first certificate that was generated used RSASSA-PSS, which was standardized in PKCS#1 v2.1 and is generally recommended to be used as an alternative to the older more widespread RSASSA algorithm in PKCS#1 v1.5.

It would appear that RSASSA-PSS does not work with Cisco ASA devices.

This shows as "specifiedECDSA" in the certificate signature algorithm field, where as when the certificate was re-created using RSASSA-PSS the field showed as "sha256ECDSA" and the certificate loaded onto the ASA with no problems

Thanks,
Rhys.

Beginner

Ryhs,I am having the same

Ryhs,

I am having the same issue with import of a new CA root and intermediate cert. I have read your most recent reply but it seems contradictory.

 

You state "It would appear that RSASSA-PSS does not work with Cisco ASA devices" then go on to say "the certificate was re-created using RSASSA-PSS.........and the certificate loaded onto the ASA"

My root is 4096 and intermediate is 2048. Both show signature algorithm as RSASSA-PSS rather than anything with ECDSA in the field. See attached. Should these certs work or do I need to re-create in another way?

 

Thanks in advance.

Wes

 

 

Beginner

Hello,Sorry for the late

Hello,

Sorry for the late reply.

The certificate was resigned using RSASSA algorithm in PKCS#1 v1.5 rather than PKCS#1 v2.1

This was a registry fix on the Windows machine issuing the certificates.

 

Also, if you are using key lengths 4096 and 2048 you are signing using RSA rather than ECDSA, so I'm not sure if you do have the same issue?

 

Regards,

Rhys

Highlighted
Cisco Employee

This is a known issue.

This is a known issue. Enhancement request CSCup44159 has been filed to add support for RSASSA-PSS on the ASA.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.