PKI Enrollment of Certificates with Weak-Crypto
SHA-1 hashing signature algorithm, and RSA key sizes that are smaller than 2048 bits for certification are not supported on management center and threat defense Version 7.0 and higher. You cannot enroll certificates with RSA key sizes that are smaller than 2048 bits.
To override these restrictions on management center 7.0 managing threat defenses running Versions lesser than 7.0, you can use the enable weak-crypto option on the threat defense. We do not recommend you to permit weak-crypto keys, because, such keys are not as secure as the ones with higher key sizes.
Note | Threat Defense 7.0 or higher does not support generating RSA keys with sizes smaller than 2048 bits even when you permit weak-crypto. |
To enable weak-crypto on the device, navigate to the Devices > Certificates page. Click the Enable Weak-Crypto () button provided against the threat defense device. When the weak-crypto option is enabled, the button changes to . By default, the weak-crypto option is disabled.
Note | When a certificate enrollment fails due to weak cipher usage, the management center displays a warning message prompting you to enable the weak-crypto option. Similarly, when you turn on the enable weak-crypto button, the management center displays a warning message before enabling weak-crypto configuration on the device. |
Upgrading Earlier Versions to Threat Defense 7.0
When you are upgrading to threat defense 7.0, the existing certificate configurations are retained. However, if those certificates have RSA keys smaller than 2048 bits and use SHA-1 encryption algorithm, they cannot be used to establish VPN connections. You must either procure a certificate with RSA key sizes bigger than 2048 bits or enable the permit weak-crypto option for VPN connections.