Cisco ASAs and RSASSA-PSS

I ran into a weird issue recently where I was trying to import a CA cert for cert auth with AnyConnect but the ASA wouldn’t take it. This CA cert was part of a two-tier Microsoft CA so maybe I had an issue with the chain. Nope. Cert expired? Nope. CRL URL not available? Nope.

Since all of the usual culprits weren’t checking out, I enabled a debug crypto ca¬†14 on the ASA and took a look at the logs while attempting to import the cert. Here’s what I saw.

A search on Error #705h led me to a Cisco bug report detailing a lack of support on the ASA platform for the RSASSA-PSS algorithm. This certificate algorithm is a part of the RFC 3447 and was meant to address some limitations in Certificate Authorities at the time. While the standard has been around since 2002, it still lacks broad support.

Even through it is a little supported cryptography standard, Microsoft has included in the default CAPolicy.inf files that are in their standard TechNet articles for configuring a Microsoft CA. In my case, it wasn’t the end of the world. Just had to disable the Alternate Certificate Algorithm and then reissue the CA certs. It will take a while for all of the clients to check in and request new certs based on SHA256, but it’ll happen eventually.

Word of caution: if you’re not sure of the impact, DO NOT regenerate your CA certs without a through review of the implications.