Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5525x with embedded IPS

Hi everyone,

We are going through an IA audit and the IA tema would like me to change the SS/SSH kLey strength from the default 1024 to 2048.

How can I accomplish this on IPS module in a ASA 5525x firewall?

I see where i can regenerate a new key throught IME but it does not have any cofigurable parameters to change/choose key sizes.

Perhaps there is a way in the CLI ?

Thanks for the expertise!

Scott Robertson

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 5525x with embedded IPS

4 REPLIES

ASA 5525x with embedded IPS

New Member

ASA 5525x with embedded IPS

Hello and thanks for the reply.

I have reviewed the setup guide in the link above and the guide provides the CLI syntax to generate a new TLS server certificate however it does not provide any parameters to change the key size. So IPS will generate a new self signed certificate but will only create a 1024 bit size key. Same problem I have in IME.  This is a government client and their security policy mandates that any SSL certificate sizes be  of 2048 bit strength or higher. At this point a feature request would probably be in order.

Thanks again for your reply.

Scott Robertson



New Member

ASA 5525x with embedded IPS

I did not get if you are looking for embaded IPS or IP if IP for clear information Please find the link below.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82446-enable-voip-config.html

New Member

Re: ASA 5525x with embedded IPS

I am referring to IPS SSP in the ASA 5525x firewall. It appears ther is no way to change the certificate size from 1024 to 2048 or higher . My IA auditors are complaining about the weak key size of 1024. I was hoping it could be done from CLI on the IPS modules but the feature does not exist to change the strength of the keys to 2048 which is our minimum security standard.


I am using the generate new self signed certificate feature in the IPS GUI.

Sent from Cisco Technical Support iPhone App

396
Views
0
Helpful
4
Replies