Re: SHA-2 ASA CSR

fatalXerror · ‎03-17-2022

Hi Guys,

I generated a CSR in ASA using CLI and sent it to my CA team to sign the CSR however, they told me that my CSR is only in SHA-1 and they need in SHA-2. How can I create a CSR with SHA-2 in ASA? Do I really need to use ECDSA instead of RSA or RSA alone can do the job to be in SHA-2?

Thank you very much for the help.

balaji.bandi · ‎03-17-2022

what version of ASA code running :

here is the steps :

https://community.cisco.com/t5/security-documents/creating-a-sha-2-certificate-signing-request-using-ecdsa/ta-p/3155888

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

fatalXerror · ‎03-17-2022

Hi @balaji.bandi , I am using ASA OS 9.12(4)24 and I already tried the one that you've provided but still the CA still recognizes it as SHA1 and not SHA2. No sure what is really the issue.

balaji.bandi · ‎03-18-2022

can you post show ip ssh ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎03-17-2022

...

fatalXerror · ‎03-17-2022

It seems that ASA is just generating CSR with SHA1 Encryption Algorithm and I confirmed it by using an OpenSSL. So what I did is to generate a CSR outside the ASA using the OpenSSL for me to have a SHA2. Not sure why is it like that hopefully is just a missing config.

MHM Cisco World · ‎03-17-2022

...

Sheraz.Salim · ‎03-18-2022

Most probably your asa is using the default rsa keys. You can check this using command show crypto key mypubkey rsa

to delete the RSA host key pair, enter the following command.

crypto key zeroize rsa

and to generate more than 2048 bits command is

crypto key generate rsa modulus 2048

And call these keys in your trust point.

These are few links shared by other If you follow them it will fix your problem.

please do not forget to rate.

MHM Cisco World · ‎03-18-2022

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj67576