Cisco Cisco ASA 5585-X Adaptive Security Appliance 기술 매뉴얼
interface on ASA running 9.4(1) and later.
Solution: This issue presents itself when an RSA keypair is used with the certificate. On ASA
versions from 9.4(1) onwards, all the ECDSA and RSA ciphers are enabled by default and the
strongest cipher (usually an ECDSA cipher) will be used for negotiation. If this happens, the ASA
presents a Self-Signed certificate instead of the currently configured RSA-based certificate. There
is an enhancement in place to change the behaviour when an RSA-based certificate is installed on
an interface and is tracked by Cisco bug ID
versions from 9.4(1) onwards, all the ECDSA and RSA ciphers are enabled by default and the
strongest cipher (usually an ECDSA cipher) will be used for negotiation. If this happens, the ASA
presents a Self-Signed certificate instead of the currently configured RSA-based certificate. There
is an enhancement in place to change the behaviour when an RSA-based certificate is installed on
an interface and is tracked by Cisco bug ID
Recommended Action: Disable ECDSA ciphers with these CLI commands:
MainASA(config)# cry key generate ecdsa label SSL-Keypair elliptic-curve 256
INFO: The name for the keys will be: SSL-Keypair
Keypair generation process begin. Please wait...
Or, with the ASDM, navigate to Configuration > Remote Access VPN > Advanced, and choose
SSL Settings. Under the Encryption section, select tlsv1.2 Cipher version and edit it with the
custom string AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-
SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5
SSL Settings. Under the Encryption section, select tlsv1.2 Cipher version and edit it with the
custom string AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-
SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5
Appendix
Appendix A: ECDSA or RSA
The ECDSA algorithm is a part of the Elliptic curve cryptography (ECC) and uses an equation of
an elliptic curve to generate a Public Key whereas the RSA algorithm uses the product of two
primes plus a smaller number to generate the Public Key. This means that with ECDSA the same
level of security as RSA can be achieved, but with smaller keys. This reduces computation time
and increases the connection times for sites that use ECDSA certificates.
an elliptic curve to generate a Public Key whereas the RSA algorithm uses the product of two
primes plus a smaller number to generate the Public Key. This means that with ECDSA the same
level of security as RSA can be achieved, but with smaller keys. This reduces computation time
and increases the connection times for sites that use ECDSA certificates.
The document on
provides more in-depth information.
Appendix B: Use OpenSSL to Generate a PKCS12 Certificate from an Identity
Certificate, CA Certificate, and Private Key
Certificate, CA Certificate, and Private Key
Ensure that OpenSSL is installed on the system that this process is run on. For Mac OSX
and GNU/Linux users, this will be installed by default.
and GNU/Linux users, this will be installed by default.
1.
Switch to a working directory. On Windows: By default, the utilities are installed in
C:\Openssl\bin. Open a command prompt in this location.On Mac OSX/Linux: Open the
Terminal window in the directory needed to create the PKCS12 certificate.
C:\Openssl\bin. Open a command prompt in this location.On Mac OSX/Linux: Open the
Terminal window in the directory needed to create the PKCS12 certificate.
2.
In the directory mentioned in the previous step, save the private key (privateKey.key), identity
certificate (certificate.crt) and root CA certificate chain (CACert.crt) files. Combine the private
key, identity certificate and the root CA certificate chain into a PKCS12 file. You will be
prompted to enter a passphrase to protect your PKCS12 certificate.
certificate (certificate.crt) and root CA certificate chain (CACert.crt) files. Combine the private
key, identity certificate and the root CA certificate chain into a PKCS12 file. You will be
prompted to enter a passphrase to protect your PKCS12 certificate.
MainASA(config)# cry key
generate ecdsa label SSL-Keypair elliptic-curve 256
INFO: The name for the keys will be: SSL-Keypair
Keypair generation process begin. Please wait...
3.
Convert the PKCS12 certificate generated above to a Base64 encoded certificate:
openssl
base64 -in certificate.pfx -out certificate.p12
4.
Next, import the certificate that was generated in the last step for use with SSL.