Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PKI key length

I am setting up a dmvpn network and wish to use pki instead of wild card pre-shared keys. I have read that Cisco routers will not support certificates where any key length in the certificate chain is over 2048. I have an MS PKI where the offline root cert has a key length of 4096. Does this mean I cannot use this CA hierarchy?

2 REPLIES
Silver

Re: PKI key length

I think the recommended length is 1024 as larger keys takes time to get generated (on routers larger keys are not recommended) but you should be able to use it. Following link may help you

http://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/certs.html

New Member

Re: PKI key length

Thanks very much for the response. The actual certs I intend to use on the routers will have a key length of 1024, however the root CA has a self signed cert with a key length of 4096 (which was what I was confused about) I have since discovered that the routers are able to support public keys of up to 4096 with IOS release 12.4(11)T so that should enable me to use the existing pki we have. As an aside, however, they are still only able to support private keys with a maximum modulus of 2048. Thanks again for your help.

281
Views
0
Helpful
2
Replies
CreatePlease to create content