Solved: ASA 5515 - SSL certificate - transition from SHA1 to SHA2

rcampb3ll · ‎12-18-2014

We have an ASA 5515 running ver 9.1(2). (Actually 2 of them in an HA Active/Passive cluster)

The ssl cert installed on our ASA that we currently use for SSL VPN is SHA1. This cert is due to expire soon, so we are looking to renew it before it expires. We would want the new cert to be SHA2.

I've looked over this cisco technote for SSL cert renewal information:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html

It doesn't specifically address if transitioning from a SHA1 cert to an SHA2 cert. Am I safe to follow the steps in this doc, considering that we will be requesting an SHA2 SSL cert? Any caveats that I need to be aware of?

Many thanks in advance.

Karsten Iwen · ‎12-18-2014

You can keep your old key. But if it's only a 2048 bit key (or even less), this is the time to increase the bitsize for some added security. I typically use 3072 Bit keys. Probably the keys that I will renew next year will all be 4096 bit.

View solution in original post

Karsten Iwen · ‎12-18-2014

It all depends on the CA you use. Two examples:

Entrust
You can generate your CSR on the ASA, and in the Entrust web-portal you choose that you want your cert to be signed with SHA2.
StartSSL
If you generate your CSR on the ASA it will be signed with SHA-1. You will get a SHA-1 signed certificate back.
If you generate a CSR with openSSL (or any tool that is capable of that) and sign your request with SHA2, the certificate will also be signed with SHA2

rcampb3ll · ‎12-18-2014

Thanks for the response Karsten!

When I am generating the CSR from my ASA, because I will be choosing a SHA2 cert (from the Entrust portal actually), do I use my existing key pair, or do I need to create a new key pair?

Karsten Iwen · ‎12-18-2014

You can keep your old key. But if it's only a 2048 bit key (or even less), this is the time to increase the bitsize for some added security. I typically use 3072 Bit keys. Probably the keys that I will renew next year will all be 4096 bit.

rcampb3ll · ‎12-18-2014

One more question for you.

Considering that our intended use of this new SSL cert will be for SSL VPN, what are the potential negative ramifications of chosing the 4096 bit over the 2048 bit? From the remote user perspective, would any slowdown occur only during initial setup of the VPN session, or would it be throughout the entire VPN session?

(ok...so it was actually 2 questions.)

Karsten Iwen · ‎12-18-2014

The sessio-setup will be slightly slower. The session-data is protected with symetric crypto like AES256/SHA1 (or AES-GCM in the future), they don't need the public key crypto any more.

rcampb3ll · ‎12-19-2014

Thanks again Karsten! Your help and advice is much appreciated!

Cheers.

irvan.tambunan · ‎06-08-2015

Hi All,

I have this problem too. My IOS version is 9.2.2(4) and using 5585-X. Is there any solution for generating CSR enabled SHA2? Or we have to upgrade first to 9.3 or newer to support SHA2.

For you info, i will buy certificate from Cybertrust, not Entrust.

Kindly waiting for your reply.

Thanks.