I have Cisco ASA 5510 with 8.4(3)8 software onboar.
Now i have an issue with Third Party wildcard certificate, which i whant to use in SSL-VPN. Issue is that it doesn't import. Doesn't import without any intelligible messages. I'm use pks12.
In other side i've tried import the same certificate in ASA 5545X with 9.1(2) software and it imported fine.
The previous wildcard certificate was working fine.
Differents in this certificates that i found is RSA key lenth. In previous it was 2048, in current - 4096. It's look like my platform (5510) or my software (8.4(3)) doesn't support RSA 4096. But i cant found some official document about this.
Does anyone elseencountered this kind of problem? Ot mayby someone reading about there?
Not a bummer. Wholly and utterly unacceptable. "Hey, I know, let's arbitrarily limit the strength of the encryption on our so-called security appliances!"
Presently very displeased. I now either have to re-issue or re-purchase my wildcard cert and then re-re-install it everywhere (no thanks), or purchase an additional weaker cert specifically for my FWs. Thanks Cisco!
This is the first step in the lifecycle of any X.509 digital certificate. Once the private/public Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) keypair is generated (Appendix A details the difference between the use of RSA or ECDSA), a Certficate Signing Request (CSR) is created. A CSR is basically a PKCS10 formatted message that contains the public key and identity information of the requesting host. PKI Data Formatsexplains the different certificate formats applicable to the ASA and Cisco IOS®.
Notes: 1. Check with the CA on the required keypair size. The CA/Browser Forum has mandated that all certificates generated by their member CAs have a minimum size of 2048 bits. 2. ASA currently does not support 4096 bit keys (Cisco bug ID CSCut53512) for SSL server authentication. However, IKEv2 does support the use of 4096 bit server certificates on the ASA 5580, 5585, and 5500-X platforms alone. 3. Use the DNS Name of the ASA in the FQDN field of the CSR in order to prevent Untrusted Certificate warnings and pass Strict Certificate check.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...