Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA CA Certificate import error using ECDSA and SHA-256

Hello,

 

I am attempting to import a root CA certificate into my ASA 5585X from our internal PKI.

The CA Cert uses the following:

Signature algorithm - ECDSA

Signature hash algorithm - sha256

Public key - ECC (384 Bits)

 

I get the following error when attempting to import the certificate onto the ASA:

% Error in saving certificate: status = FAIL

 

I have run a debug and get the following messages:

CRYPTO_PKI: can not set ca cert object (0x722)

CRYPTO_PKI: status = 65535: failed to process RA certificate.

 

I have tried to import the CA using ASA Version 9.1.4 and 9.1.5

 

Any help or suggestions would be greatly appreciated.

Thanks,

Rhys.

 

 

7 REPLIES
Cisco Employee

Hi,What is the expiration

Hi,

What is the expiration date on this certificate ?

Thanks and Regards,

Vibhor Amrodia

New Member

Hi,Certificate details are as

Hi,
Certificate details are as follows:

Cisco Employee

This is a known issue.

This is a known issue. Enhancement request CSCup44159 has been filed to add support for RSASSA-PSS on the ASA.

New Member

OK, so I have worked with my

OK, so I have worked with my PKI guys on this and this is what we have found:

The first certificate that was generated used RSASSA-PSS, which was standardized in PKCS#1 v2.1 and is generally recommended to be used as an alternative to the older more widespread RSASSA algorithm in PKCS#1 v1.5.

It would appear that RSASSA-PSS does not work with Cisco ASA devices.

This shows as "specifiedECDSA" in the certificate signature algorithm field, where as when the certificate was re-created using RSASSA-PSS the field showed as "sha256ECDSA" and the certificate loaded onto the ASA with no problems

Thanks,
Rhys.

New Member

Ryhs,I am having the same

Ryhs,

I am having the same issue with import of a new CA root and intermediate cert. I have read your most recent reply but it seems contradictory.

 

You state "It would appear that RSASSA-PSS does not work with Cisco ASA devices" then go on to say "the certificate was re-created using RSASSA-PSS.........and the certificate loaded onto the ASA"

My root is 4096 and intermediate is 2048. Both show signature algorithm as RSASSA-PSS rather than anything with ECDSA in the field. See attached. Should these certs work or do I need to re-create in another way?

 

Thanks in advance.

Wes

 

 

New Member

Hello,Sorry for the late

Hello,

Sorry for the late reply.

The certificate was resigned using RSASSA algorithm in PKCS#1 v1.5 rather than PKCS#1 v2.1

This was a registry fix on the Windows machine issuing the certificates.

 

Also, if you are using key lengths 4096 and 2048 you are signing using RSA rather than ECDSA, so I'm not sure if you do have the same issue?

 

Regards,

Rhys

Cisco Employee

This is a known issue.

This is a known issue. Enhancement request CSCup44159 has been filed to add support for RSASSA-PSS on the ASA.

1392
Views
5
Helpful
7
Replies
CreatePlease login to create content