SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

PaoloArnedo · ‎03-14-2022

Hello our switch Cisco WS-C2960L-SM-24PS has this vulnerability and the recommended solution to this is to obtain new SHA-2 signed SSL/TLS certificates to avoid web browser SSL/TLS certificate warnings. Can you please guide me on how to do this or suggest some commands that I can do on the device. thanks in advance

balaji.bandi · ‎03-14-2022

check self signed certificate (and clients also required to trust that certificate) - do you have PKI infra structore inside ?

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎03-14-2022

@PaoloArnedo are you actually using the HTTP or HTTPS server on the switch to manage the device? If not, disable them and then the switch won't be listening on tcp/443.

If you are, create a new trustpoint and authenticate/enroll the certificate to generate a CSR, sign the certificate from your internal CA.

Example trustpoint:

crypto pki trustpoint LAB_PKI
 enrollment terminal 
 revocation-check none

once the signed certificate has been imported, assign to the trustpoint

ip http secure-trustpoint LAB_PKI

Delete the old trustpoint.

PaoloArnedo · ‎03-14-2022

Thank you for the insight, to answer your question yes I am using HTTP as a server. does the process needs a reboot on the device and can it affect the hosts communicating to the switch?

Rob Ingram · ‎03-14-2022

@PaoloArnedo the web interface (http or https) is for management purposes only, so it will not affect the connected hosts. No it does not require a reboot.

PaoloArnedo · ‎03-14-2022

thank you! also may I ask, how do I deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-Hellman group on the device?

MHM Cisco World · ‎03-14-2022

....