Well, the manuals are wrong ;-) The key size on the latest version of software is 2048 bits max.
It was not an allocation issue. One pointer though, if you have to recreate your CA on a Microsoft platform you may as well reformat the hard drive and start from scratch, as there is no de-install for the SCEP add-on to IIS so you have to de-install the CA, de-install IIS!, re-install IIS and the CA, then re-install SCEP, and even then your CA is going to be all F'd up. Somehow, I got to the point where you could only request "user" and "efs" certs, not "web server" or "server" certs like you can on another CA we have installed same version of everything), plus you can't specify the OU, so you can't match that to a group name. We are using OpenSSL just fine, even on a Windows box with cygwin. I hate Windows. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 5:01 AM To: [EMAIL PROTECTED] Subject: RE: Largest CA Keylength on VPN 3000 [7:73409] Is it a size or allocation issue? CSCdv48299 If fewer than three spots remain in the CA certificate store of a VPN 3000 Concentrator, and an attempt is made to install a CA certificate with associated RAs, then the RA or RAs are installed (filling the store) and the root certificate is not installed. This is incorrect behavior. Instead, the software should check to see if there is enough room in the store before installing a partial CA certificate. Partial certificates should not be installed. If the RAs and the Root certificate cannot be installed, the software should install nothing. Or just RTFM below? Martijn Key Size - man Yes scep Yes The algorithm for generating the public-key/private-key pair, and the key size. If you are requesting an SSL certificate, of if you are requesting an identity certificate using SCEP, only the RSA options are available. RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman) algorithm. This key size provides sufficient security and is the default selection. It is the most common, and requires the least processing. RSA 768 bits = Generate 768-bit keys using the RSA algorithm. This key size provides normal security. It requires approximately 2 to 4 times more processing than the 512-bit key. RSA 1024 bits = Generate 1024-bit keys using the RSA algorithm. This key size provides high security, and it requires approximately 4 to 8 times more processing than the 512-bit key. man Yes csep No DSA 512 bits = Generate 512-bit keys using DSA (Digital Signature Algorithm). DSA 768 bits = Generate 768-bit keys using the DSA algorithm. DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm. -----Oorspronkelijk bericht----- Van: Reimer, Fred [mailto:[EMAIL PROTECTED] Verzonden: zaterdag 2 augustus 2003 14:49 Aan: [EMAIL PROTECTED] Onderwerp: Largest CA Keylength on VPN 3000 [7:73409] Let's see if anyone here can answer faster than Cisco TAC. What is the largest CA root key length supported by the Cisco VPN Concentrator 3000 series hardware? I have a 4096 bit key and it won't accept the root key because it can't "validate" it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73604&t=73409 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
