Solved: Certificate Strength - Network devices

dylan.webb · ‎05-27-2013

How can I check what the cypher strength is of locally generated certificates on cisco IOS devices (firewalls, switches, routers, wlc, APs etc)

Additionally, is a local certificate generated with a cypher lower than 1024 considered weak?

Thank you

DGW

Marvin Rhoads · ‎05-28-2013

The command "show crypto pki certificate verbose" will give you the details of all certificates on your IOS devices (or "show crypto ca certificate" on ASA devices), including the strength of the public key used to sign it. For self-signed certificates this is generally the RSA key generated on the device.

Keys less than 1024 bits are generally considered "weak" but one can easily generate new keys and create certificates with them.

Whether or not a strong or weak certificate is important depends on what you are using it for. The most secure implementation would be to not use self-signed certificates at all but use a trusted enterprise Certificate Authority (or well-known public CA) and issue certificates from that root.

View solution in original post

Marvin Rhoads · ‎05-28-2013

The command "show crypto pki certificate verbose" will give you the details of all certificates on your IOS devices (or "show crypto ca certificate" on ASA devices), including the strength of the public key used to sign it. For self-signed certificates this is generally the RSA key generated on the device.

Keys less than 1024 bits are generally considered "weak" but one can easily generate new keys and create certificates with them.

Whether or not a strong or weak certificate is important depends on what you are using it for. The most secure implementation would be to not use self-signed certificates at all but use a trusted enterprise Certificate Authority (or well-known public CA) and issue certificates from that root.