cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

317
Views
0
Helpful
0
Replies
Highlighted
Beginner

Cisco IOS root ca fingerprint

Hi everyone,

We are deploying a IOS Cisco root CA and the root ca certificate is persistently being generated with an MD5 and SHA1 fingerprint. We have been able to configure the PKI sign identity certificates with SHA256 etc but failed with the root ca. 

 

How do you change the fingerprint on the Root CA to be more secure; ie. SHA256 or SHA512? 

 

Redacted config extract shown below:

 

crypto pki server ROOTCA

 database level complete

 database archive pkcs12 password

 issuer-name CN=RootCA,ou=pki, o=hash

 grant auto trustpoint ROOTCA

 hash sha512

 lifetime certificate 180

 lifetime ca-certificate 730

 auto-rollover 90

!

crypto pki trustpoint ROOTCA

 revocation-check crl

 rsakeypair ROOTCA

 regenerate

 hash sha256

 

CA Certificate

  Status: Available

  Version: 3

  Certificate Serial Number (hex): 02

  Certificate Usage: Signature

  Issuer:

    cn=RootCA

    ou=pki

    o=hash

  Subject:

    cn=RootCA

    ou=pki

    o=hash

  Validity Date:

    start date: 10:54:39 UTC Aug 6 2020

    end   date: 10:54:39 UTC Aug 6 2022

  Subject Key Info:

    Public Key Algorithm: rsaEncryption

    RSA Public Key: (4096 bit)

  Signature Algorithm: SHA512 with RSA Encryption

  Fingerprint MD5: ***some hash***

  Fingerprint SHA1: *** some hash***

0 REPLIES 0
Content for Community-Ad