Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
5
Helpful
2
Replies

Cisco router certifcate with weak hash algorithm

Go to solution
Richard Tapp
Level 1
Level 1

‎08-10-2022 12:59 AM

It has been flagged that our routers are currently using sha1

We needed an extra certificate server anyway so I created one with a certificate using key modus of 2048.

Cisco said this would automatically use a hash of sha256.

My first question is - does anyone know the command that will show the hash value of the new certifcate ?

Secondly I have noticed that 'hash' is an option on both ca-server and ca-trustpoint and I am wondering if the new ca-server and then the remote ca-trustpoints need to have hash sha256 set in them.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-10-2022 01:06 AM

@Richard Tapp from the CLI run "show crypto pki certificate verbose" this will tell you the Signature algorithm. Yes the CA needs to be configured for SHA256.

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎08-10-2022 01:06 AM

@Richard Tapp from the CLI run "show crypto pki certificate verbose" this will tell you the Signature algorithm. Yes the CA needs to be configured for SHA256.

Go to solution
Richard Tapp
Level 1
Level 1
In response to Rob Ingram

‎08-10-2022 01:31 AM

Thanks Rob spot on. I have included 'hash sha256' in both the ca-server and ca-truspoint and the certifcates are now being installed correctly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents