cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

Creating a SHA-2 Certificate Signing Request using ECDSA

3154
Views
20
Helpful
2
Comments

Creating a SHA-2 CSR using ECDSA

Support

In ASA OS 9.0(1), released October 29, 2012, the ASA introduced support for creating ECDSA key pairs. Prior to this version certificates had to be created again RSA key pairs. Now we have the ability to create CSR's that use ECDSA keys.

Be aware however,   these certificates can not be used with SSL VPN unless your ASA is running a version of code that supports elliptic curve ciphers. 

Testing your CSR

You can test this by creating two keys and testing them against a CSR test site like Symantec or CertLogik

Symantec CSR Checker

CertLogik CSR Checker

This is how we created RSA Key pairs.

This should NOT be used and is only shown for clarification & comparison. 

!   Create the keypair
crypto key gen rsa label my.rsa2048.key modulus 2048 noconfirm
!
!   Create the CSR
crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
 subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
 fqdn lab-asa.xxxx.com
  enrollment terminal
 keypair my.rsa2048.key
exit
!
!   Enroll the certificate
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
!

Now go to Symantec's website and paste in the CSR from your ASA. You will see that the Key algorithm is RSA and the Key Size is 2048.  Just like we used when we created the key on the ASA.

 

Create a CSR that has 256 bit ECDSA keypair.

This is the new method and should be used. 

!   Create the keypair
crypto key gen ecdsa label my.ecdsa.key elliptic-curve 256 noconfirm
!
!   Create the CSR
crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
fqdn lab-asa.xxxx.com
enrollment terminal
keypair my.ecdsa.key
exit
!
!   Enroll the certificate
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
!

 

You will notice that the ECDSA Key Size is 256 bits.  You may be concerned that it is far less than the 2048 bit RSA key. You should not be concerned because shorter elliptical curve key pairs are as strong or stronger than longer RSA keys. 

Create a CSR that has 384 bit ECDSA keypair.

!   Create the keypair
crypto key gen ecdsa label my.384ecdsa.key elliptic-curve 384 noconfirm
!
!   Create the CSR
crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
fqdn lab-asa.xxxx.com
enrollment terminal
keypair my.384ecdsa.key
exit
!
!   Enroll the certificate
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
!

Please comment , rate , reply.  Thanks!

Comments
Not applicable

Thank you for the information Tim.

VIP Advocate

In regards on using openssl for a load-balanced VPN solution, do the same as here (openssl.cfg): https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc8

 

Then create a key file with ECDSA-384:

openssl ecparam -name secp384r1 -genkey -noout -out vpn.hostname.ecdsa.key

 

Then create the CSR:

openssl req -new -nodes -sha256 -key vpn.hostname.ecdsa.key -out vpn.hostname.ecdsa.csr -config openssl.cfg

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here