Guest

Preview Tool

Cisco Bug: CSCuw28512 - ASA Suite-B accepts mismatched CA key and sig hash - import pkcs12

Last Modified

May 16, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.4(1)

Description (partial)

Symptom:
ASA allows import of identity certificate with incompatible CA ECDSA key size and signature algorithm used by CA to sign the identity certificate.

CA cert:
- 384 bit ECDSA public key

ID cert:
- signed by CA with ECDSA/SHA1 or ECDSA/SHA-256 algorithm.

This results in certificates configuration that can be not validated by peers.

Conditions:
The CA certificate has private key ECDSA with curve p384. It can  be checked in the CA certificate.
The CA signs the certificate requests using signature hash algorithm SHA-1 or SHA-256. It can be checked in the identity certificate signed for the ASA.

1. Importing the identity certificate with private key and CA certificate - in PKCS12 form:

crypto ca import <trustpoint> pkcs12 <pass>

The certificates are not validated regarding the hash algorithms.

2. Enrolling the identity certificate to on trustpoint and importing the CA certificate to another trustpoint.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.