Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Concentrator using certificate authentication with MS CA

We have a VPN Concentrator 3000. Users securely connect to the concentrator to access Network resources. In order to improve security we have configured the concentrator to use digital certificates to authenticate VPN users, and for users to authenticate the concentrator.

LGCSB have a PKI Infrastructure in 2 levels. We have a root CA that uses a 4096 but key for maximum security, we also have a sub-ordinate CA (issuing CA) that uses a 2048 bit key.

In order to allow vpn users to authenticate via certificates, the users and the concentrator must trust the certificate from the Root CA. On the workstations (VPN clients) this is a simple procedure. However on the concentrator, when we install the Root CA Certificate it fails: the error is "Error installing trusted certificate: Unable to install trusted certificate" in the event log we receive an error which states: "Unable to load trusted certificate, reason = Unable to install trusted certifica


A few tests confirm that the concentrator has a problem with any CA certificate that has a key strength greater than 2048.

Using a 4096 bit is critical (and recommended) to the secure transactions that our organisation use day-to-day so it is not possible to re-configure our PKI infrastructure.

Your advice or solutions are much appreciated



Brent Arkley

Cisco Employee

Re: VPN Concentrator using certificate authentication with MS CA

The concentrator does not currently support keys longer than 2048 bits. This is due to a HW limitation of the encryption module in the concentrator where the key generation is done.

New Member

Re: VPN Concentrator using certificate authentication with MS CA

Do the PIX Firewalls support this key length?