Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
0
Helpful
1
Replies

eckeypair vs rsakeypair in PKI

Majid Jalinousi
Level 1
Level 1

‎01-08-2017 07:10 AM

Hi there,

I would be so appreciate someone explain for me what is the different between eckeypair and rsakeypair?

I've create a trustpoint at the CSR router like below:

crypto pki trustpoint TP-Test

enrollment mode ra
enrollment url http://192.168.1.227:80/certsrv/mscep/mscep.dll
serial-number none
fqdn R1.pfr.local
subject-name cn=R1.pfr.local, OU=IT, O=NETWORK, ST=AZ, C=US
revocation-check ocsp
rsakeypair Test-RSA
hash sha384

Also I've created tow different public key, one of them is RSA 2048 named Test-RSA and the other is EC 384 named Test-EC.

At the Microsoft CA server I've created a IPsec certificate template with the below settings:

Cryptography: RSA

Key length: 2048

Hash: sha384

At the router when I want to sign the router certificate by CA, there is something strange that the rsakeypair Test-RSA changed to eckeypair Test-EC? does it mean the router try to use the EC key as it's public key and why? but it seems everything is ok and the router can get the singed certificate when the IPsec template has set to RSA.

But when I changed the trustpoint configuration at the router like below according to the Suite B algorithms:

crypto pki trustpoint TP-Test

enrollment mode ra
enrollment url http://192.168.1.227:80/certsrv/mscep/mscep.dll
serial-number none
fqdn R1.pfr.local
subject-name cn=R1.pfr.local, OU=IT, O=NETWORK, ST=AZ, C=US
revocation-check ocsp
eckeypair Test-EC
hash sha384

Also I changed the IPsec Certificate template at the router like below:

Cryptography: ECDH_384

Key length: 384

Hash: sha384

When I want to sign the router certificate with the crypto pki enroll TP-Test I saw the below error at the router:

% The subject name in the certificate will include: cn=R1.pfr.local, OU=IT, O=NETWORK, ST=Tehran, C=IR
% The subject name in the certificate will include: R1.pfr.local
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose TP-IWAN' commandwill show the fingerprint.

R1(config)#
*Jan 9 02:36:50.814: CRYPTO_PKI: using private key IWAN-EC for enrollment
*Jan 9 02:36:50.815: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=TP-IWAN HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.227


*Jan 9 02:36:50.815: CRYPTO_PKI: locked trustpoint TP-IWAN, refcount is 1
*Jan 9 02:36:50.815: CRYPTO_PKI: http connection opened
*Jan 9 02:36:50.815: CRYPTO_PKI: Sending HTTP message

*Jan 9 02:36:50.815: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.227


*Jan 9 02:36:50.819: CRYPTO_PKI: unlocked trustpoint TP-IWAN, refcount is 0
*Jan 9 02:36:50.819: CRYPTO_PKI: locked trustpoint TP-IWAN, refcount is 1
*Jan 9 02:36:50.821: CRYPTO_PKI: unlocked trustpoint TP-IWAN, refcount is 0
*Jan 9 02:36:50.821: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 3093
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/8.5
Date: Mon, 09 Jan 2017 02:36:50 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

*Jan 9 02:36:50.821: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=TP-IWAN)

*Jan 9 02:36:50.823: The PKCS #7 message contains 3 certificates.
*Jan 9 02:36:50.824: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

*Jan 9 02:36:50.826: CRYPTO_PKI:crypto_pkcs7_insert_ra_certs found RA certs

*Jan 9 02:36:50.827: CRYPTO_PKI: Capabilites already obtained CA_CAP_RENEWAL CA_CAP_SHA_1 CA_CAP_SHA_256 CA_CAP_SHA_512
*Jan 9 02:36:50.827: CRYPTO_PKI: transaction CRYPTO_REQ_CERT completed
*Jan 9 02:36:50.827: CRYPTO_PKI: status:
*Jan 9 02:36:50.827: ../cert-c/source/signcerq.c(53) : E_PRIVATE_KEY : private key is null or doesn't match public key
*Jan 9 02:36:50.827: CRYPTO_PKI: status = 0x71E(E_PRIVATE_KEY : private key is null or doesn't match public key): PKCS10 failed
*Jan 9 02:36:50.827: CRYPTO_PKI: status = 0: failed to create pkcsreq message
*Jan 9 02:36:50.827: CRYPTO_PKI: status = 65535: fail to send out pkcsreq
*Jan 9 02:36:50.827: CRYPTO_PKI: Setting renewal timers

What's the problem?

Thanks in advance.

4 people had this problem
Labels:
0 Helpful
1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-08-2017 04:48 PM

eckeypair (elliptical curve) is much newer and stronger than RSA.  However many things don't support the user of eckeypair yet.

I've tried using it a couple of times, and keep getting caught out by devices, and being forced back to using RSA.

We should be getting closer and closer to having general eckeypair support.

0 Helpful
Customers Also Viewed These Support Documents