PKI key length

Unanswered Question
Jul 17th, 2007

I am setting up a dmvpn network and wish to use pki instead of wild card pre-shared keys. I have read that Cisco routers will not support certificates where any key length in the certificate chain is over 2048. I have an MS PKI where the offline root cert has a key length of 4096. Does this mean I cannot use this CA hierarchy?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ricey Tue, 07/24/2007 - 04:53

Thanks very much for the response. The actual certs I intend to use on the routers will have a key length of 1024, however the root CA has a self signed cert with a key length of 4096 (which was what I was confused about) I have since discovered that the routers are able to support public keys of up to 4096 with IOS release 12.4(11)T so that should enable me to use the existing pki we have. As an aside, however, they are still only able to support private keys with a maximum modulus of 2048. Thanks again for your help.


This Discussion