PKI Enrollment of Certificates with Weak-Crypto
SHA-1 hashing signature algorithm, and RSA key sizes that are smaller than 2048 bits for certification are not supported on CDO and FTD Version 7.0 and higher. You cannot enroll certificates with RSA key sizes that are smaller than 2048 bits.
To override these restrictions on CDO 7.0 managing FTDs running Versions lesser than 7.0, you can use the enable weak-crypto option on the FTD. We do not recommend you to permit weak-crypto keys, because, such keys are not as secure as the ones with higher key sizes.
Note | FTD 7.0 or higher does not support generating RSA keys with sizes smaller than 2048 bits even when you permit weak-crypto. |
To enable weak-crypto on the device, navigate to the Devices > Certificates page. Click the Enable Weak-Crypto (
) button provided against the FTD device. When the weak-crypto option is enabled, the button changes to 
. By default, the weak-crypto option is disabled.
Note | When a certificate enrollment fails due to weak cipher usage, the CDO displays a warning message prompting you to enable the weak-crypto option. Similarly, when you turn on the enable weak-crypto button, the CDO displays a warning message before enabling weak-crypto configuration on the device. |
Upgrading Earlier Versions to FTD 7.0
When you are upgrading to FTD 7.0, the existing certificate configurations are retained. However, if those certificates have RSA keys smaller than 2048 bits and use SHA-1 encryption algorithm, they cannot be used to establish VPN connections. You must either procure a certificate with RSA key sizes bigger than 2048 bits or enable the permit weak-crypto option for VPN connections.