Solved: IETF X.509 certificate signature collision vulnerability

sbdladla1 · ‎10-08-2015

Our security scan has pick up this vulnerability IETF X.509 certificate signature collision vulnerability

I am using SSL self sign certificate on Cisco ASA firewall. I want to find out how can I fix this certificate vulnerability if I am not using CA

Karsten Iwen · ‎10-08-2015

This typically relates to the usage of weak hashing mechanisms that are used for the signature.

Best way: Usa a cert of one of the public CAs. There are also CAs available that only charge a very small amount for that.

Alternative way: Generate a new self-signed certificate with openssl and use the hash-algorithm SHA256:

openssl req -x509 -sha256 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 720

View solution in original post

Karsten Iwen · ‎10-08-2015

This typically relates to the usage of weak hashing mechanisms that are used for the signature.

Best way: Usa a cert of one of the public CAs. There are also CAs available that only charge a very small amount for that.

Alternative way: Generate a new self-signed certificate with openssl and use the hash-algorithm SHA256:

openssl req -x509 -sha256 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 720

sbdladla1 · ‎10-12-2015

I try to run the command, but the ASA reject it, maybe I need to be in a subcommand, any help where must I run this command.

Karsten Iwen · ‎10-12-2015

No, it's not on the ASA. You have to run it on a PC that has openssl installed. That is Linux or MacOS by default, or even Windows can install it (perhaps through the help of Cygwin).