08-13-2014 01:06 PM - edited 02-21-2020 05:16 AM
I have an ASA 5505 at my network site. We have just started running TrustWave scans against our routers and everything is passing EXCEPT for the following item:
SSL Certificate Public Key Too Small
Port: tcp/443
Server SSL certificates signed with a public key of less than 2048 bits are more susceptible to man in the middle attacks.
How do I fix this issue? This is a very plain vanilla setup, with no fancy hosting or anything of that nature. This device is pretty much acting as a firewall/router with nothing but a very basic configuration.
I've scoured the device looking for certs, self-signed certs, or anything where I could figure out how to install a server certificate signed with a public key length of at least 2048 bits. So far... no luck!
If there is anyone out there who can direct me in the right direction, it would be greatly appreciated.
Thank you so much ahead of time!
Solved! Go to Solution.
08-30-2014 01:26 AM
Did you use this new key to generate a certificate? If yes, did you bind that new certificate to the interface?
08-13-2014 02:23 PM
The key-size is specified when you generate the pub/priv key-pair:
asa(config)# crypto key generate rsa label VPN modulus 2048
The key-pair is then used in the trustpoint:
crypto ca trustpoint VPN-ID-CERT
..
keypair VPN
From that trustpoint you enroll your ASA with a CA.
08-29-2014 02:38 PM
I ran the following command:
asa(config)# crypto key generate rsa modulus 2048
and it still fails the test for the public key being too small. I'm not enrolling any of my ASA's with a CA. I believe they are all self-signed. Either way, why is a public key of less than 2048 bits being generated?
When I run the command:
asa# show crypto key mypubkey rsa
it returns this information:
Key pair was generated at: 05:14:56 UTC Aug 29 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
I'm not sure why this is failing the vulnerability scan?
08-30-2014 01:26 AM
Did you use this new key to generate a certificate? If yes, did you bind that new certificate to the interface?
09-01-2014 07:48 AM
As Karsten notes, generating the RSA key is just your first step.
You need to then generate a new self-signed certificate specifying that 2048-bit RSA key as the signing key. Then bind that new certificate to your interface. Only then will your scan show the SSL certificate as being signed using a 2048-bit key.
09-11-2014 02:20 PM
Is there anything to worry about when adding this to a production environment? My client on has one VPN user and a CCE on the inside of their network.
Thanks!!!
09-11-2014 04:23 PM
By CCE do you mean Cisco Callmanager Express?
As long as you don't have remote IP phones which connect to the ASA VPN directly, you should be OK. If you do, those phones will need to have the new ASA certificate loaded onto them so that they trust the certificate for server authentication on the SSL VPN. The remote access VPN user(s) will have to do the same thing but they can do so manually when reconnecting to the ASA that's using a new certificate.
09-11-2014 04:40 PM
Sorry, credit card environment. PCI related.
09-11-2014 07:52 PM
Ah - generally speaking PCI DSS requirements want more security vs. less. Given that a 2048-bit key is more secure than 1024 bits, that's a good thing.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: