And still no support for this

Luxoft Professional · ‎05-08-2014

Hi, all!

I have Cisco ASA 5510 with 8.4(3)8 software onboar.

Now i have an issue with Third Party wildcard certificate, which i whant to use in SSL-VPN. Issue is that it doesn't import. Doesn't import without any intelligible messages. I'm use pks12.

In other side i've tried import the same certificate in ASA 5545X with 9.1(2) software and it imported fine.

The previous wildcard certificate was working fine.

Differents in this certificates that i found is RSA key lenth. In previous it was 2048, in current - 4096. It's look like my platform (5510) or my software (8.4(3)) doesn't support RSA 4096. But i cant found some official document about this.

Does anyone else encountered this kind of problem? Ot mayby someone reading about there?

Thanks

Marvin Rhoads · ‎05-08-2014

See the release notes for ASA 9.0(x). As of 9.0(1) the ASA software introduced (among other things) support for "RSA certificates with 4096 bit keys for DTLS and IKEv2"

Daniel Sandstrom · ‎09-02-2014

Still no support for certs with key size 4096 for SSL certificates though.... just tried ( 9.2.1 ).

It imports to be used for other purposes, but when adding the trustpoint to the interface :

"RSA 4096 keys are not supported for ssl"

Bummer..

blake · ‎12-08-2014

Not a bummer. Wholly and utterly unacceptable.
"Hey, I know, let's arbitrarily limit the strength of the encryption on our so-called security appliances!"

Presently very displeased. I now either have to re-issue or re-purchase my wildcard cert and then re-re-install it everywhere (no thanks), or purchase an additional weaker cert specifically for my FWs. Thanks Cisco!

dirkmelvin · ‎08-06-2015

Ok, so I have 3 ASAs (2x 5515X and one 5505)

The 5515X are running 9.4.1(3) (ASDM 7.4(3)), the 5505 is running 9.2(3).3 (ASDM 7.4(2))

I didn't see this issue on my 5515X systems, but my 5505 did throw the error about not supporting RSA 4096 for SSL.

AIS-ITADMIN · ‎12-17-2014

And still no support for this.

Beyond flabbergasted why they wouldn't have this feature.

I too have a 4096 RSA wildcard certificate and cannot use it on my ASA's.

They are my VPN servers.

wchilds01 · ‎08-23-2016

I actually found the Cisco document that details the platforms that support 4096 encryption. In case the link gets broken, this was the statement as of July 25, 2016.

----------------------------------------------------------------------------------------------------------------------------------

CSR Generation

This is the first step in the lifecycle of any X.509 digital certificate. Once the private/public Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated (Appendix A details the difference between the use of RSA or ECDSA), a Certficate Signing Request (CSR) is created. A CSR is basically a PKCS10 formatted message that contains the public key and identity information of the requesting host. PKI Data Formatsexplains the different certificate formats applicable to the ASA and Cisco IOS^®.

Notes:
1. Check with the CA on the required keypair size. The CA/Browser Forum has mandated that all certificates generated by their member CAs have a minimum size of 2048 bits.
2. ASA currently does not support 4096 bit keys (Cisco bug ID CSCut53512) for SSL server authentication. However, IKEv2 does support the use of 4096 bit server certificates on the ASA 5580, 5585, and 5500-X platforms alone.
3. Use the DNS Name of the ASA in the FQDN field of the CSR in order to prevent Untrusted Certificate warnings and pass Strict Certificate check.

----------------------------------------------------------------------------------------------------------------------------------

ASA 4096 RSA key

I know this is an old thread, but I searched for an hour after I found this post. Would have been nice to have it here.

Cisco ASA platform\version RSA 4096 support

CSR Generation