I actually found the Cisco document that details the platforms that support 4096 encryption. In case the link gets broken, this was the statement as of July 25, 2016.
----------------------------------------------------------------------------------------------------------------------------------
CSR Generation
This is the first step in the lifecycle of any X.509 digital certificate. Once the private/public Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated (Appendix A details the difference between the use of RSA or ECDSA), a Certficate Signing Request (CSR) is created. A CSR is basically a PKCS10 formatted message that contains the public key and identity information of the requesting host. PKI Data Formatsexplains the different certificate formats applicable to the ASA and Cisco IOS ® .
Notes: 1. Check with the CA on the required keypair size. The CA/Browser Forum has mandated that all certificates generated by their member CAs have a minimum size of 2048 bits. 2. ASA currently does not support 4096 bit keys (Cisco bug ID CSCut53512) for SSL server authentication. However, IKEv2 does support the use of 4096 bit server certificates on the ASA 5580, 5585, and 5500-X platforms alone. 3. Use the DNS Name of the ASA in the FQDN field of the CSR in order to prevent Untrusted Certificate warnings and pass Strict Certificate check.
----------------------------------------------------------------------------------------------------------------------------------
ASA 4096 RSA key
I know this is an old thread, but I searched for an hour after I found this post. Would have been nice to have it here.
... View more
