cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23418
Views
0
Helpful
14
Replies

SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

tusharp81
Level 1
Level 1

                   Recenty we have done VA test for our cisco ASA 5520 . In that we got the following observation . The observation is on port 443 and we are accessing asdm on port 443 .

Kindly reply so that we can close this at the earliest . We already have tried increading the sizy by crypto key generate rsa general-keys 2048

Even after this command we get the key length of 2048 for ssh but when we access asdm still we get the bit length as 1024 bits . I am attachign the screen shot for the same .

SSL Certificate Chain Contains RSA Keys Less Than 2048 bits :

Synopsis :

The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits.

Descriptiopn :

At least one of the X.509 certificates sent by the remote host has a
key that is shorter than 2048 bits.  According to industry standards set
by the Certification Authority/Browser (CA/B) Forum, certificates issued
after January 1, 2014 must be at least 2048 bits.

Some browser SSL implementations may reject keys less than 2048 bits
after January 1, 2014.  Additionally, some SSL certificate vendors may
revoke certificates less than 2048 bits before January 1, 2014.

2 Accepted Solutions

Accepted Solutions

Here do we need to generate the new key pair or can we use the default Key pair .

As you already created the default keypair with 2048 bits, you can use the default one. But it's a good practice to have separate key-pairs for different functions. So I would generate a new key-pair with a specific label like "SSL-KEYS" and use that for ASDM.

Also for self signed certificate do we need to specify the DN attributes value ? i.e Common Name , Department , Company Name etc. etc .

that depends on how you want to access your ASA. If you have your ASA-FQDN in DNS, then use that as the subject (CN=asa.example.com). Or you use the inside IP address of the ASA to access the ASDM.

Also do we need to enable Act as local certificate authority and issue dynamic certificates to TLS proxy ?

no, that's a completely different functionality.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Although not shown here, you have a "certificate of last resort" which is used when no individual certificate is assigned. Thats the certificate that you see when accessing the ASA with HTTPS in the browser.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

14 Replies 14

After generating the keys, you also have to generate a new certificate. The new key is not used automatically for SSL/TLS/HTTPS.


Sent from Cisco Technical Support iPad App

Dear Iwen ,

Thanks a lot . This is exactly what I am looking for . Can u please give me the process for generating the new certificate  ?

Regards,

Tushar

In ASDM, you have the "Certificate Management" under Configure -> Device management. There you choose Identity Certificates and add a new certificate. Here you use the option to generate a self-signed certificate. (I assume that you don't have a PKI in place that generates certificates in your company).

Sent from Cisco Technical Support iPad App

Dear Iwen ,

              Just to summarise :

   First we need to go to Device management --> Certificate management --> Identity Certificates --> Add --> Add new Identity Certificate .

Here do we need to generate the new key pair or can we use the default Key pair .

Also for self signed certificate do we need to specify the DN attributes value ? i.e Common Name , Department , Company Name etc. etc .

Also do we need to enable Act as local certificate authority and issue dynamic certificates to TLS proxy ?

Awaiting your reverts .

Thanks a lot .

Regards,

Tushar

Here do we need to generate the new key pair or can we use the default Key pair .

As you already created the default keypair with 2048 bits, you can use the default one. But it's a good practice to have separate key-pairs for different functions. So I would generate a new key-pair with a specific label like "SSL-KEYS" and use that for ASDM.

Also for self signed certificate do we need to specify the DN attributes value ? i.e Common Name , Department , Company Name etc. etc .

that depends on how you want to access your ASA. If you have your ASA-FQDN in DNS, then use that as the subject (CN=asa.example.com). Or you use the inside IP address of the ASA to access the ASDM.

Also do we need to enable Act as local certificate authority and issue dynamic certificates to TLS proxy ?

no, that's a completely different functionality.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

HI ,

We use inside ip address of the ASA to access ASDM .

Rgds,

Tushar

ok, then you have to (if I remember right) to use a subject "CN=yourIP" and under "Andvanced" you also put in your inside IP address.

After you have generated that certificate you go to Device-Management -> Advanced -> SSL Settings and change the certificate of your inside interface to that new generated one.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Dear Iwen ,

            Currently we have not assigned any certificate to inside interface of ASA . Will applying the certificate on inside interface create any changes in way we login to asa or accessing asdm .Also currently in Certificate subject DN : we are having CN=D-ASA-1 ( host name of our ASA ) . Does it mean that we need to make it CN=yourIP ( or we need to mention IP address of inside interface ) . Attching scrrenshot for same .

Please revert . Thanks again for your support .

Tushar

You have a certificate assigned to the inside interface. Without that you couldn't access the ASA with ASDM. Perhaps you didn't do it intentionally because thats normally done automatically when setting up the ASA. It should also work with the subject-DN which is the ASA-name. In general (with exeptions) the subject name is that, what you put into your browser address-bar which would normally be the ip if you wan't to access the ASA by ip-address.

But that doesn't really matter as these self-signed certificates are not trusted by default and have to be imported to the browser anyway.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Iwen ,

  Below is the screen shot from our ASA which shows no certificate on inside interface .

Although not shown here, you have a "certificate of last resort" which is used when no individual certificate is assigned. Thats the certificate that you see when accessing the ASA with HTTPS in the browser.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Dear Iwen ,

Thanks a lot for the resolution .

Dear Iwen ,

       We are having ASA in High Availibility environment . So as per my knowledge I need to do the above process on both the firewalls .

                     Is it ok if I do the above on standby firewall then check it and if everything is well then do the same on active firewall .

Rgds,

Tushar

HI Tushar, 

I also have the same finding during VA testing on Cisco ASA 5525.  While searching on internet that you also faced same finding and succesfully closed. Could you pls help me out to close the Vulnerability. 

Pls also share If there was any production impact in your scnerio when you was doing changes in parameter. 

If possible , kindly share step wise process to get rid of this risk.

Rgds

Review Cisco Networking for a $25 gift card