08-17-2015 06:11 AM
Hi,
I have to setup a new CA cert on the VPN firewall. I have recently seen that some client (spacially MacOS) complain about the certificate being invalid if the EKU (Extended Key Usage) or Key Usage value is not there. I am wondering how do I make sure that EKU is included for the new certificate.
Also what is the current recommendation for cert to meet all criterias for SSL vulnerabilities and current encryption standard (AES 256 SHA 2 etc.)? I just want to make sure that clients do not complain for invalid/untrusted site/certificate.
08-17-2015 07:46 AM
Using the ASA itself to generate the CSR doesn't allow you to specify EKU. Instead you'd need to generate the CSR using openssl.
Using a 2048-bit or higher RSA key is something you should do - all public CAs will require this anyway.
It's a balancing act as going to 4096-bit key may break some older browsers.
08-20-2015 12:12 AM
hi Marvin, thanks for your comment. It is probably a dumb question. I am not able to find how to generate openssl certificate for ASA.
08-20-2015 01:27 PM
08-21-2015 06:04 AM
Thanks ..I know about installing certificate. But this is all about self-signed certificate. I do need public CA , not the self signed. I will send CSR to Commodo. How do I or they specify the EKU value.
08-21-2015 06:07 AM
You have to use openssl to generate a CSR with EKU. It cannot be done with the ASA software.
08-21-2015 12:07 PM
EKU doesn't need to be included in the cert request. It can be placed into the cert e. g. by Microsoft CA server if a tailored cert template is chosen.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide