Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
7861
Views
20
Helpful
2
Comments

Creating a SHA-2 Certificate Signing Request using ECDSA

Tim Glen
Cisco Employee
Cisco Employee

on ‎03-03-2016 12:58 PM

Creating a SHA-2 CSR using ECDSA

Support

In ASA OS 9.0(1), released October 29, 2012, the ASA introduced support for creating ECDSA key pairs. Prior to this version certificates had to be created again RSA key pairs. Now we have the ability to create CSR's that use ECDSA keys.

Be aware however,   these certificates can not be used with SSL VPN unless your ASA is running a version of code that supports elliptic curve ciphers. 

Testing your CSR

You can test this by creating two keys and testing them against a CSR test site like Symantec or CertLogik

Symantec CSR Checker

CertLogik CSR Checker

This is how we created RSA Key pairs.

This should NOT be used and is only shown for clarification & comparison. 

!   Create the keypair
 crypto key gen rsa label my.rsa2048.key modulus 2048 noconfirm
!
!   Create the CSR
 crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
   subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
   fqdn lab-asa.xxxx.com
   enrollment terminal
   keypair my.rsa2048.key
 exit
 !
 !   Enroll the certificate 
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
 !

Now go to Symantec's website and paste in the CSR from your ASA. You will see that the Key algorithm is RSA and the Key Size is 2048.  Just like we used when we created the key on the ASA.

 

Create a CSR that has 256 bit ECDSA keypair.

This is the new method and should be used. 

!   Create the keypair
crypto key gen ecdsa label my.ecdsa.key elliptic-curve 256 noconfirm
!
!   Create the CSR
crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
  subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
  fqdn lab-asa.xxxx.com
  enrollment terminal
  keypair my.ecdsa.key
exit
!
!   Enroll the certificate 
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
!

 

You will notice that the ECDSA Key Size is 256 bits.  You may be concerned that it is far less than the 2048 bit RSA key. You should not be concerned because shorter elliptical curve key pairs are as strong or stronger than longer RSA keys. 

Create a CSR that has 384 bit ECDSA keypair.

!   Create the keypair
crypto key gen ecdsa label my.384ecdsa.key elliptic-curve 384 noconfirm
!
!   Create the CSR
crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
  subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
  fqdn lab-asa.xxxx.com
  enrollment terminal
  keypair my.384ecdsa.key
exit
!
!   Enroll the certificate 
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
!

Please comment , rate , reply.  Thanks!

Labels:
Preview file
24 KB
Preview file
29 KB
Preview file
24 KB
Comments
Not applicable
‎07-05-2017 11:53 PM

Thank you for the information Tim.

patoberli
VIP Alumni
VIP Alumni
‎09-12-2018 06:29 AM

In regards on using openssl for a load-balanced VPN solution, do the same as here (openssl.cfg): https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc8

 

Then create a key file with ECDSA-384:

openssl ecparam -name secp384r1 -genkey -noout -out vpn.hostname.ecdsa.key

 

Then create the CSR:

openssl req -new -nodes -sha256 -key vpn.hostname.ecdsa.key -out vpn.hostname.ecdsa.csr -config openssl.cfg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents