05-27-2013 09:16 PM - edited 02-21-2020 04:53 AM
How can I check what the cypher strength is of locally generated certificates on cisco IOS devices (firewalls, switches, routers, wlc, APs etc)
Additionally, is a local certificate generated with a cypher lower than 1024 considered weak?
Thank you
DGW
Solved! Go to Solution.
05-28-2013 08:06 AM
The command "show crypto pki certificate verbose" will give you the details of all certificates on your IOS devices (or "show crypto ca certificate" on ASA devices), including the strength of the public key used to sign it. For self-signed certificates this is generally the RSA key generated on the device.
Keys less than 1024 bits are generally considered "weak" but one can easily generate new keys and create certificates with them.
Whether or not a strong or weak certificate is important depends on what you are using it for. The most secure implementation would be to not use self-signed certificates at all but use a trusted enterprise Certificate Authority (or well-known public CA) and issue certificates from that root.
05-28-2013 08:06 AM
The command "show crypto pki certificate verbose" will give you the details of all certificates on your IOS devices (or "show crypto ca certificate" on ASA devices), including the strength of the public key used to sign it. For self-signed certificates this is generally the RSA key generated on the device.
Keys less than 1024 bits are generally considered "weak" but one can easily generate new keys and create certificates with them.
Whether or not a strong or weak certificate is important depends on what you are using it for. The most secure implementation would be to not use self-signed certificates at all but use a trusted enterprise Certificate Authority (or well-known public CA) and issue certificates from that root.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide