Solved: ASA SHA2 Support with Self-Signed Certificates

William Parsley · ‎11-09-2015

Is it possible to use the SHA2 signature algorithm when generating a self-signed certificate on an ASA? I can't seem to find any documentation showing commands that have control of things like the signature algorithm when using self-signed certificates. I've seen documentation that SHA2 is supported as of 8.4.2 for the signature algorithm, but it always refers to importing a certificate from some external CA.

Dinesh Moudgil · ‎11-09-2015

Hi William,

You can only generate SHA1 self signed certificate on the ASA. The workaround is to import a 3rd party certificate with SHA2 signature algorithm.

Here is the enhancement request for the same:-

ASA support for SHA-2 for crypto IPsec and PKI operations

CSCuj67576
https://tools.cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎11-09-2015

Hi William,

You can only generate SHA1 self signed certificate on the ASA. The workaround is to import a 3rd party certificate with SHA2 signature algorithm.

Here is the enhancement request for the same:-

ASA support for SHA-2 for crypto IPsec and PKI operations

CSCuj67576
https://tools.cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Report Inappropriate Content · ‎08-16-2017

How to generate self signed certificate with MD5 hash signature algorithm instead of default SHA1 signature algorithm. could not find CLI commands under trustpoint config to change default SHA1 hasing method to MD5.

Cisco ASA 5550 - Running 8.4.7(30)