Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
2
Replies

PKI key length

ricey
Level 1
Level 1

‎07-17-2007 08:45 AM

I am setting up a dmvpn network and wish to use pki instead of wild card pre-shared keys. I have read that Cisco routers will not support certificates where any key length in the certificate chain is over 2048. I have an MS PKI where the offline root cert has a key length of 4096. Does this mean I cannot use this CA hierarchy?

Labels:
0 Helpful
2 Replies 2

drolemc
Level 6
Level 6

‎07-23-2007 01:27 PM

I think the recommended length is 1024 as larger keys takes time to get generated (on routers larger keys are not recommended) but you should be able to use it. Following link may help you

http://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/certs.html

0 Helpful

ricey
Level 1
Level 1
In response to drolemc

‎07-24-2007 04:53 AM

Thanks very much for the response. The actual certs I intend to use on the routers will have a key length of 1024, however the root CA has a self signed cert with a key length of 4096 (which was what I was confused about) I have since discovered that the routers are able to support public keys of up to 4096 with IOS release 12.4(11)T so that should enable me to use the existing pki we have. As an aside, however, they are still only able to support private keys with a maximum modulus of 2048. Thanks again for your help.

0 Helpful
Customers Also Viewed These Support Documents