Cisco Bug: CSCuw28512 - ASA Suite-B accepts mismatched CA key and sig hash - import pkcs12
May 16, 2018
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: ASA allows import of identity certificate with incompatible CA ECDSA key size and signature algorithm used by CA to sign the identity certificate. CA cert: - 384 bit ECDSA public key ID cert: - signed by CA with ECDSA/SHA1 or ECDSA/SHA-256 algorithm. This results in certificates configuration that can be not validated by peers. Conditions: The CA certificate has private key ECDSA with curve p384. It can be checked in the CA certificate. The CA signs the certificate requests using signature hash algorithm SHA-1 or SHA-256. It can be checked in the identity certificate signed for the ASA. 1. Importing the identity certificate with private key and CA certificate - in PKCS12 form: crypto ca import <trustpoint> pkcs12 <pass> The certificates are not validated regarding the hash algorithms. 2. Enrolling the identity certificate to on trustpoint and importing the CA certificate to another trustpoint.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases