cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6174
Views
10
Helpful
6
Replies

Cisco ASA platform\version RSA 4096 support

Hi, all!

 

I have Cisco ASA 5510 with 8.4(3)8 software onboar.

 

Now i have an issue with Third Party wildcard certificate, which i whant to use in SSL-VPN. Issue is that it doesn't import. Doesn't import without any intelligible messages. I'm use pks12.

 

In other side i've tried import the same certificate  in ASA 5545X with  9.1(2) software and it imported fine.

 

The previous wildcard certificate was working fine.

 

Differents in this certificates that i found is RSA key lenth. In previous it was 2048, in current - 4096. It's look like my platform (5510) or my software (8.4(3)) doesn't support RSA 4096. But i cant found some official document about this.

 

Does anyone else encountered this kind of problem? Ot mayby someone reading about there?

 

Thanks

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

See the release notes for ASA 9.0(x). As of 9.0(1) the ASA software introduced (among other things) support for "RSA certificates with 4096 bit keys for DTLS and IKEv2

Still no support for certs with key size 4096 for SSL certificates though....  just tried ( 9.2.1 ).

It imports to be used for other purposes, but when adding the trustpoint to the interface :

"RSA 4096 keys are not supported for ssl"

Bummer..

 


 

Not a bummer. Wholly and utterly unacceptable. 
"Hey, I know, let's arbitrarily limit the strength of the encryption on our so-called security appliances!"

Presently very displeased. I now either have to re-issue or re-purchase my wildcard cert and then re-re-install it everywhere (no thanks), or purchase an additional weaker cert specifically for my FWs.  Thanks Cisco!

Ok, so I have 3 ASAs (2x 5515X and one 5505)

The 5515X are running 9.4.1(3) (ASDM 7.4(3)), the 5505 is running 9.2(3).3 (ASDM 7.4(2))

 

I didn't see this issue on my 5515X systems, but my 5505 did throw the error about not supporting RSA 4096 for SSL.

 

 

And still no support for this. 

Beyond flabbergasted why they wouldn't have this feature. 

 

I too have a 4096 RSA wildcard certificate and cannot use it on my ASA's. 

 

They are my VPN servers. 

wchilds01
Level 1
Level 1

I actually found the Cisco document that details the platforms that support 4096 encryption. In case the link gets broken, this was the statement as of July 25, 2016.

----------------------------------------------------------------------------------------------------------------------------------

CSR Generation

This is the first step in the lifecycle of any X.509 digital certificate. Once the private/public Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated (Appendix A details the difference between the use of RSA or ECDSA), a Certficate Signing Request (CSR) is created. A CSR is basically a PKCS10 formatted message that contains the public key and identity information of the requesting host. PKI Data Formatsexplains the different certificate formats applicable to the ASA and Cisco IOS®.

Notes:
1. Check with the CA on the required keypair size. The CA/Browser Forum has mandated that all certificates generated by their member CAs have a  minimum size of 2048 bits.
2. ASA currently does not support 4096 bit keys (Cisco bug ID CSCut53512) for SSL server authentication. However, IKEv2 does support the use of 4096 bit server certificates on the ASA 5580, 5585, and 5500-X platforms alone.
3. Use the DNS Name of the ASA in the FQDN field of the CSR in order to prevent Untrusted Certificate warnings and pass Strict Certificate check.

----------------------------------------------------------------------------------------------------------------------------------

ASA 4096 RSA key

I know this is an old thread, but I searched for an hour after I found this post. Would have been nice to have it here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: