07-24-2024 04:22 AM
Hey all,
I have a Synopsis from a VA on my catalyst switch as below:
" The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits."
and the suggested mitigation is as follows:
Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates signed by the old certificate. |
I've been searching for hours, but what I found is related to changing the Diffie Hellman key size!!
MY question is:
How can I change the modulus size?
Please help!
07-24-2024 04:53 AM
The certificate is basically a signed container that holds a public key and some information. This key should be at least 2048 bits nowadays. They are asking that you generate a new key pair of appropriate length and use this to request a new certificate from your CA. Diffie-Hellman is not related to this message.
07-24-2024 05:27 AM
thanks for your reply.
Could you give me some resources to implement this?
07-24-2024 05:41 AM
The command to generate new RSA keys of 2048 bits length is as follows:
crypto key generate rsa modulus 2048
Hope this helps.
07-24-2024 06:02 AM
When the VA complains about the CA chain, I expect that you will have to ask your CA administrators. If it is the device certificate, the process starts with the command above, but you also have to configure a trustpoint and let it interact with your CA. Better get someone to do it for you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide