We are working on testing the Microsoft’s Always On VPN solution. It is recommended to use the ECC certificates (Elliptic-curve cryptography) for performance and security reasons (256-bit ECC versus 2028 bit RSA key I’m assuming improves the performance, but I’m not sure how it is more secure).
After generating the CSR for the certificate using these instructions we pasted the CSR into GoDaddy to generate the certificate. However after submitting the CSR we got the following error message:
“This CSR was created with an invalid algorithm”
After a call with GoDaddy Support, they confirmed that they do not currently support ECC or ECDSA or DSA keys on certificates and only support RSA keys. If you use GoDaddy and need an ECC certificate, please give GoDaddy Support a call to ask for these keys to be supported going forward. Hopefully enough people will contact them that they add this feature in the future.
Recently we started to get reports of untrusted certificates for AnyConnect and when accessing the ASDM web page. When you browse to the web site it was presenting the default “ASA Temporary Self Signed Certificate” rather than our public SSL certificate.
After opening a case with Cisco TAC about this they pointed us to the release notes issue in ASA 9.4(x):
Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom
As soon as I added the command into our ASA it started working again. It sounds like this should be a default entry going forward for all ASA firewalls.
Want to learn more about elliptic curve cryptography or look at this for a primer.