cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6861
Views
20
Helpful
8
Replies

ASA 5505 SSL Certificate Public Key Too Small

eolatech1
Level 1
Level 1

I have an ASA 5505 at my network site.  We have just started running TrustWave scans against our routers and everything is passing EXCEPT for the following item:

SSL Certificate Public Key Too Small

Port: tcp/443

Server SSL certificates signed with a public key of less than 2048 bits are more susceptible to man in the middle attacks.

 

How do I fix this issue?  This is a very plain vanilla setup, with no fancy hosting or anything of that nature.  This device is pretty much acting as a firewall/router with nothing but a very basic configuration.

I've scoured the device looking for certs, self-signed certs, or anything where I could figure out how to install a server certificate signed with a public key length of at least 2048 bits.  So far... no luck!

If there is anyone out there who can direct me in the right direction, it would be greatly appreciated.

Thank you so much ahead of time!

1 Accepted Solution

Accepted Solutions

Did you use this new key to generate a certificate? If yes, did you bind that new certificate to the interface?

View solution in original post

8 Replies 8

The key-size is specified when you generate the pub/priv key-pair:

asa(config)# crypto key generate rsa label VPN modulus 2048

The key-pair is then used in the trustpoint:

crypto ca trustpoint VPN-ID-CERT

  ..

  keypair VPN

From that trustpoint you enroll your ASA with a CA.

 

I ran the following command:

asa(config)# crypto key generate rsa modulus 2048

 and it still fails the test for the public key being too small. I'm not enrolling any of my ASA's with a CA. I believe they are all self-signed. Either way, why is a public key of less than 2048 bits being generated?

 

When I run the command:

asa# show crypto key mypubkey rsa

it returns this information:

Key pair was generated at: 05:14:56 UTC Aug 29 2014
Key name: <Default-RSA-Key>
 Usage: General Purpose Key
 Modulus Size (bits): 2048

I'm not sure why this is failing the vulnerability scan?

 

Did you use this new key to generate a certificate? If yes, did you bind that new certificate to the interface?

As Karsten notes, generating the RSA key is just your first step.

You need to then generate a new self-signed certificate specifying that 2048-bit RSA key as the signing key. Then bind that new certificate to your interface. Only then will your scan show the SSL certificate as being signed using a 2048-bit key.

Is there anything to worry about when adding this to a production environment? My client on has one VPN user and a CCE on the inside of their network.

 

Thanks!!!

By CCE do you mean Cisco Callmanager Express?

As long as you don't have remote IP phones which connect to the ASA VPN directly, you should be OK. If you do, those phones will need to have the new ASA certificate loaded onto them so that they trust the certificate for server authentication on the SSL VPN. The remote access VPN user(s) will have to do the same thing but they can do so manually when reconnecting to the ASA that's using a new certificate.

Sorry, credit card environment. PCI related.

Ah - generally speaking PCI DSS requirements want more security vs. less. Given that a 2048-bit key is more secure than 1024 bits, that's a good thing. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: