Creating a SHA-2 CSR using ECDSA
Support
In ASA OS 9.0(1), released October 29, 2012, the ASA introduced support for creating ECDSA key pairs. Prior to this version certificates had to be created again RSA key pairs. Now we have the ability to create CSR's that use ECDSA keys.
Be aware however, these certificates can not be used with SSL VPN unless your ASA is running a version of code that supports elliptic curve ciphers.
Testing your CSR
You can test this by creating two keys and testing them against a CSR test site like Symantec or CertLogik
Symantec CSR Checker
CertLogik CSR Checker
This is how we created RSA Key pairs.
This should NOT be used and is only shown for clarification & comparison.
! Create the keypair
crypto key gen rsa label my.rsa2048.key modulus 2048 noconfirm
!
! Create the CSR
crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
fqdn lab-asa.xxxx.com
enrollment terminal
keypair my.rsa2048.key
exit
!
! Enroll the certificate
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
!
Now go to Symantec's website and paste in the CSR from your ASA. You will see that the Key algorithm is RSA and the Key Size is 2048. Just like we used when we created the key on the ASA.
Create a CSR that has 256 bit ECDSA keypair.
This is the new method and should be used.
! Create the keypair
crypto key gen ecdsa label my.ecdsa.key elliptic-curve 256 noconfirm
!
! Create the CSR
crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
fqdn lab-asa.xxxx.com
enrollment terminal
keypair my.ecdsa.key
exit
!
! Enroll the certificate
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
!
You will notice that the ECDSA Key Size is 256 bits. You may be concerned that it is far less than the 2048 bit RSA key. You should not be concerned because shorter elliptical curve key pairs are as strong or stronger than longer RSA keys.
Create a CSR that has 384 bit ECDSA keypair.
! Create the keypair
crypto key gen ecdsa label my.384ecdsa.key elliptic-curve 384 noconfirm
!
! Create the CSR
crypto ca trustpoint my-trustpoint.lab-asa.xxxx.com
subject-name CN=lab-asa.xxxx.com,O=My Company Inc,C=US,St=Pennsylvania,L=MyCity
fqdn lab-asa.xxxx.com
enrollment terminal
keypair my.384ecdsa.key
exit
!
! Enroll the certificate
crypto ca enroll my-trustpoint.lab-asa.xxxx.com
!
Please comment , rate , reply. Thanks!