Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
4
Replies

RSA key less than 2048 bits for X.509 certificate chain certificate

at@ps
Level 1
Level 1

‎07-24-2024 04:22 AM

Hey all,

I have a Synopsis from a VA on my catalyst switch as below:
" The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits."

and the suggested mitigation is as follows:

Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates signed by the old certificate.

I've been searching for hours, but what I found is related to changing the Diffie Hellman key size!!

MY question is:

How can I change the modulus size?

Please help!

0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎07-24-2024 04:53 AM

The certificate is basically a signed container that holds a public key and some information. This key should be at least 2048 bits nowadays. They are asking that you generate a new key pair of appropriate length and use this to request a new certificate from your CA. Diffie-Hellman is not related to this message.

0 Helpful

at@ps
Level 1
Level 1
In response to Karsten Iwen

‎07-24-2024 05:27 AM

thanks for your reply.

Could you give me some resources to implement this?

0 Helpful

liviu.gheorghe
Spotlight
Spotlight
In response to at@ps

‎07-24-2024 05:41 AM

The command to generate new RSA keys of 2048 bits length is as follows:

crypto key generate rsa modulus 2048

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

Karsten Iwen
VIP
VIP
In response to at@ps

‎07-24-2024 06:02 AM

When the VA complains about the CA chain, I expect that you will have to ask your CA administrators. If it is the device certificate, the process starts with the command above, but you also have to configure a trustpoint and let it interact with your CA. Better get someone to do it for you.

0 Helpful
Customers Also Viewed These Support Documents