%ASA-6-302021: Teardown TCP connection 1234567890 for outside:1.2.3.4/80 to inside:10.1.1.100/1234 duration 0:00:01 bytes 100 (TCP FINs) New SSL connection request from outside:1.2.3.4/443 to inside:10.1.1.100/1234 (tcp_flags 0x2 0x0) asa (CSC-aaa- vpn-4141) 255: Certificate validation failed: EE key is too small
crypto ca trustpoint NEW_TP keypair NEW_2048_KEY subject-name CN=://yourdomain.com enrollment terminal Use code with caution. Copied to clipboard cisco asa certificate validation failed. ee key is too small
Keywords: Cisco ASA, certificate validation failed, EE key is too small, 1024-bit RSA, IKEv2, AnyConnect VPN, PKI, crypto hardening No, actually the error is misleading: it refers
The ASA, when building the chain, used the older intermediate CA cert because it had a matching issuer name. It then checked the —but in the ASA’s validation logic, “EE key” in this context meant the public key of the end entity certificate presented by the client ? No, actually the error is misleading: it refers to the server certificate’s own key being too small ? Wait, not exactly. If your ASA is using an older 1024-bit
On the ASA, use:
: Modern security standards generally require a minimum RSA key size of 2048 bits . If your ASA is using an older 1024-bit key or if a restrictive "FUTURE" crypto policy is set (requiring 3072 bits), the validation will fail during the SSL/TLS handshake. Common Scenarios