Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA 5505 SSL Certificate Public Key Too Small

I have an ASA 5505 at my network site.  We have just started running TrustWave scans against our routers and everything is passing EXCEPT for the following item:

SSL Certificate Public Key Too Small

Port: tcp/443

Server SSL certificates signed with a public key of less than 2048 bits are more susceptible to man in the middle attacks.

 

How do I fix this issue?  This is a very plain vanilla setup, with no fancy hosting or anything of that nature.  This device is pretty much acting as a firewall/router with nothing but a very basic configuration.

I've scoured the device looking for certs, self-signed certs, or anything where I could figure out how to install a server certificate signed with a public key length of at least 2048 bits.  So far... no luck!

If there is anyone out there who can direct me in the right direction, it would be greatly appreciated.

Thank you so much ahead of time!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Did you use this new key to

Did you use this new key to generate a certificate? If yes, did you bind that new certificate to the interface?

8 REPLIES
VIP Purple

The key-size is specified

The key-size is specified when you generate the pub/priv key-pair:

asa(config)# crypto key generate rsa label VPN modulus 2048

The key-pair is then used in the trustpoint:

crypto ca trustpoint VPN-ID-CERT

  ..

  keypair VPN

From that trustpoint you enroll your ASA with a CA.

 

Community Member

I ran the following command

I ran the following command:

asa(config)# crypto key generate rsa modulus 2048

 and it still fails the test for the public key being too small. I'm not enrolling any of my ASA's with a CA. I believe they are all self-signed. Either way, why is a public key of less than 2048 bits being generated?

 

When I run the command:

asa# show crypto key mypubkey rsa

it returns this information:

Key pair was generated at: 05:14:56 UTC Aug 29 2014
Key name: <Default-RSA-Key>
 Usage: General Purpose Key
 Modulus Size (bits): 2048

I'm not sure why this is failing the vulnerability scan?

 

VIP Purple

Did you use this new key to

Did you use this new key to generate a certificate? If yes, did you bind that new certificate to the interface?

Hall of Fame Super Silver

As Karsten notes, generating

As Karsten notes, generating the RSA key is just your first step.

You need to then generate a new self-signed certificate specifying that 2048-bit RSA key as the signing key. Then bind that new certificate to your interface. Only then will your scan show the SSL certificate as being signed using a 2048-bit key.

Community Member

Is there anything to worry

Is there anything to worry about when adding this to a production environment? My client on has one VPN user and a CCE on the inside of their network.

 

Thanks!!!

Hall of Fame Super Silver

By CCE do you mean Cisco

By CCE do you mean Cisco Callmanager Express?

As long as you don't have remote IP phones which connect to the ASA VPN directly, you should be OK. If you do, those phones will need to have the new ASA certificate loaded onto them so that they trust the certificate for server authentication on the SSL VPN. The remote access VPN user(s) will have to do the same thing but they can do so manually when reconnecting to the ASA that's using a new certificate.

Community Member

Sorry, credit card

Sorry, credit card environment. PCI related.

Hall of Fame Super Silver

Ah - generally speaking PCI

Ah - generally speaking PCI DSS requirements want more security vs. less. Given that a 2048-bit key is more secure than 1024 bits, that's a good thing. 

3451
Views
20
Helpful
8
Replies
CreatePlease to create content