CA certificate requirements

S891 · ‎08-17-2015

Hi,

I have to setup a new CA cert on the VPN firewall. I have recently seen that some client (spacially MacOS) complain about the certificate being invalid if the EKU (Extended Key Usage) or Key Usage value is not there. I am wondering how do I make sure that EKU is included for the new certificate.

Also what is the current recommendation for cert to meet all criterias for SSL vulnerabilities and current encryption standard (AES 256 SHA 2 etc.)? I just want to make sure that clients do not complain for invalid/untrusted site/certificate.

Marvin Rhoads · ‎08-17-2015

Using the ASA itself to generate the CSR doesn't allow you to specify EKU. Instead you'd need to generate the CSR using openssl.

Using a 2048-bit or higher RSA key is something you should do - all public CAs will require this anyway.

It's a balancing act as going to 4096-bit key may break some older browsers.

S891 · ‎08-20-2015

hi Marvin, thanks for your comment. It is probably a dumb question. I am not able to find how to generate openssl certificate for ASA.

Marvin Rhoads · ‎08-20-2015

Nothing a little googling can't ascertain.

Create an openssl certificate like shown here (including EKU): Link #1.

Import the private key, signing CA's certificate chain and new ASA certificate as shown here: Link #2

S891 · ‎08-21-2015

Thanks ..I know about installing certificate. But this is all about self-signed certificate. I do need public CA , not the self signed. I will send CSR to Commodo. How do I or they specify the EKU value.

Marvin Rhoads · ‎08-21-2015

You have to use openssl to generate a CSR with EKU. It cannot be done with the ASA software.

Peter Koltl · ‎08-21-2015

EKU doesn't need to be included in the cert request. It can be placed into the cert e. g. by Microsoft CA server if a tailored cert template is chosen.