Showing results for 
Search instead for 
Did you mean: 

Get the latest Cisco news in this February issue of the Cisco Small Business Monthly Newsletter


SA 540 and PCI Compliance

Good Day Everyone!

I am having some difficulty with my SA 540 fleet in regards to PCI Scans in relationship to the SSL VPN.

We have four of these deployed; one in the main office and three in satellite offices and we employ site-to-site VPN so the satellites can connect to the main office LAN. Naturally, PCI DSS 3.1 has come into effect since my last successful quarterly scan and I seem to be failing on the routers due to, I THINK, the SSL certificate in the routers being 1024-bit encryption when the new standard is 2048-bit. Some responses from Trustwave regarding my failed scans:

  • Insecure Certificate Signature Algorithm in Use
  • SSL Certificate Public Key Too Small
  • SSLv3 Supported
  • SSL/TLS Weak Encryption Algorithms
  • TLSv1.0 Supported

All of the failed messages state that the "server" is using a hash algorithm of SHA (PCI requires MD5), signature algorithm of RSA and signature key length of 1024-bit.

I have put disputes in because the actual cutoff date for the 1024-bit encryption is next June but I am trying to take a proactive stance and I am not a Cisco expert by any means. That being said I think the question(s) would be:

Can I obtain an updated certificate that has MD5 and 2048-bit encryption without additional cost or is this something I have to pay for through Cisco and if so, how do I obtain this? Or do I generate a new CSR and then go to a Cisco approved CA? Or, is this security appliance not able to be brought up to the latest PCI DSS standards?

Please help this lost soul...Thanks so much, Joel

Everyone's tags (1)

For anyone else who may be

For anyone else who may be having this issue, I had to turn OFF Remote Management which was fine by me because that only affects the Quick VPN and SSL VPN whereas I am using Site-to-Site VPN. So the issue really was that the RMOM being turned on also opens the SSLv3 and TLSv1.0 that are in collision with the latest PCI DSS3.0 standards.