Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22174
Views
0
Helpful
14
Replies

SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

Go to solution
tusharp81
Level 1
Level 1

‎11-26-2013 09:45 PM - edited ‎03-11-2019 08:10 PM

                   Recenty we have done VA test for our cisco ASA 5520 . In that we got the following observation . The observation is on port 443 and we are accessing asdm on port 443 .

Kindly reply so that we can close this at the earliest . We already have tried increading the sizy by crypto key generate rsa general-keys 2048

Even after this command we get the key length of 2048 for ssh but when we access asdm still we get the bit length as 1024 bits . I am attachign the screen shot for the same .

SSL Certificate Chain Contains RSA Keys Less Than 2048 bits :

Synopsis :

The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits.

Descriptiopn :

At least one of the X.509 certificates sent by the remote host has a
key that is shorter than 2048 bits.  According to industry standards set
by the Certification Authority/Browser (CA/B) Forum, certificates issued
after January 1, 2014 must be at least 2048 bits.

Some browser SSL implementations may reject keys less than 2048 bits
after January 1, 2014.  Additionally, some SSL certificate vendors may
revoke certificates less than 2048 bits before January 1, 2014.

Labels:
Preview file
131 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to tusharp81

‎11-27-2013 12:42 AM 

Here do we need to generate the new key pair or can we use the default Key pair .

As you already created the default keypair with 2048 bits, you can use the default one. But it's a good practice to have separate key-pairs for different functions. So I would generate a new key-pair with a specific label like "SSL-KEYS" and use that for ASDM.

Also for self signed certificate do we need to specify the DN attributes value ? i.e Common Name , Department , Company Name etc. etc .

that depends on how you want to access your ASA. If you have your ASA-FQDN in DNS, then use that as the subject (CN=asa.example.com). Or you use the inside IP address of the ASA to access the ASDM.

Also do we need to enable Act as local certificate authority and issue dynamic certificates to TLS proxy ?

no, that's a completely different functionality.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tusharp81

‎11-27-2013 02:26 AM

Although not shown here, you have a "certificate of last resort" which is used when no individual certificate is assigned. Thats the certificate that you see when accessing the ASA with HTTPS in the browser.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Karsten Iwen
VIP
VIP

‎11-26-2013 10:51 PM

After generating the keys, you also have to generate a new certificate. The new key is not used automatically for SSL/TLS/HTTPS.


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
tusharp81
Level 1
Level 1
In response to Karsten Iwen

‎11-26-2013 10:55 PM

Dear Iwen ,

Thanks a lot . This is exactly what I am looking for . Can u please give me the process for generating the new certificate  ?

Regards,

Tushar

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tusharp81

‎11-26-2013 11:09 PM

In ASDM, you have the "Certificate Management" under Configure -> Device management. There you choose Identity Certificates and add a new certificate. Here you use the option to generate a self-signed certificate. (I assume that you don't have a PKI in place that generates certificates in your company).

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
tusharp81
Level 1
Level 1
In response to Karsten Iwen

‎11-26-2013 11:31 PM

Dear Iwen ,

              Just to summarise :

   First we need to go to Device management --> Certificate management --> Identity Certificates --> Add --> Add new Identity Certificate .

Here do we need to generate the new key pair or can we use the default Key pair .

Also for self signed certificate do we need to specify the DN attributes value ? i.e Common Name , Department , Company Name etc. etc .

Also do we need to enable Act as local certificate authority and issue dynamic certificates to TLS proxy ?

Awaiting your reverts .

Thanks a lot .

Regards,

Tushar

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tusharp81

‎11-27-2013 12:42 AM 

Here do we need to generate the new key pair or can we use the default Key pair .

As you already created the default keypair with 2048 bits, you can use the default one. But it's a good practice to have separate key-pairs for different functions. So I would generate a new key-pair with a specific label like "SSL-KEYS" and use that for ASDM.

Also for self signed certificate do we need to specify the DN attributes value ? i.e Common Name , Department , Company Name etc. etc .

that depends on how you want to access your ASA. If you have your ASA-FQDN in DNS, then use that as the subject (CN=asa.example.com). Or you use the inside IP address of the ASA to access the ASDM.

Also do we need to enable Act as local certificate authority and issue dynamic certificates to TLS proxy ?

no, that's a completely different functionality.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
tusharp81
Level 1
Level 1
In response to Karsten Iwen

‎11-27-2013 12:45 AM

HI ,

We use inside ip address of the ASA to access ASDM .

Rgds,

Tushar

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tusharp81

‎11-27-2013 01:03 AM

ok, then you have to (if I remember right) to use a subject "CN=yourIP" and under "Andvanced" you also put in your inside IP address.

After you have generated that certificate you go to Device-Management -> Advanced -> SSL Settings and change the certificate of your inside interface to that new generated one.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
tusharp81
Level 1
Level 1
In response to Karsten Iwen

‎11-27-2013 01:34 AM

Dear Iwen ,

            Currently we have not assigned any certificate to inside interface of ASA . Will applying the certificate on inside interface create any changes in way we login to asa or accessing asdm .Also currently in Certificate subject DN : we are having CN=D-ASA-1 ( host name of our ASA ) . Does it mean that we need to make it CN=yourIP ( or we need to mention IP address of inside interface ) . Attching scrrenshot for same .

Please revert . Thanks again for your support .

Tushar

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tusharp81

‎11-27-2013 02:08 AM

You have a certificate assigned to the inside interface. Without that you couldn't access the ASA with ASDM. Perhaps you didn't do it intentionally because thats normally done automatically when setting up the ASA. It should also work with the subject-DN which is the ASA-name. In general (with exeptions) the subject name is that, what you put into your browser address-bar which would normally be the ip if you wan't to access the ASA by ip-address.

But that doesn't really matter as these self-signed certificates are not trusted by default and have to be imported to the browser anyway.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
tusharp81
Level 1
Level 1
In response to Karsten Iwen

‎11-27-2013 02:21 AM

Hi Iwen ,

  Below is the screen shot from our ASA which shows no certificate on inside interface .

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tusharp81

‎11-27-2013 02:26 AM

Although not shown here, you have a "certificate of last resort" which is used when no individual certificate is assigned. Thats the certificate that you see when accessing the ASA with HTTPS in the browser.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
tusharp81
Level 1
Level 1
In response to Karsten Iwen

‎11-27-2013 07:11 PM

Dear Iwen ,

Thanks a lot for the resolution .

0 Helpful

Go to solution
tusharp81
Level 1
Level 1
In response to tusharp81

‎11-27-2013 09:41 PM

Dear Iwen ,

       We are having ASA in High Availibility environment . So as per my knowledge I need to do the above process on both the firewalls .

                     Is it ok if I do the above on standby firewall then check it and if everything is well then do the same on active firewall .

Rgds,

Tushar

0 Helpful

Go to solution
netbeginner
Level 2
Level 2
In response to tusharp81

‎10-29-2015 11:54 AM

HI Tushar, 

I also have the same finding during VA testing on Cisco ASA 5525.  While searching on internet that you also faced same finding and succesfully closed. Could you pls help me out to close the Vulnerability. 

Pls also share If there was any production impact in your scnerio when you was doing changes in parameter. 

If possible , kindly share step wise process to get rid of this risk.

Rgds

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card