BugZero | Cisco BugID CSCvx68663 - ENH: Display CSR fingerprint along with CSR

Cisco - Defect ID: CSCvx68663

ENH: Display CSR fingerprint along with CSR

Cisco - Defect ID: CSCvx68663

ENH: Display CSR fingerprint along with CSR

Last updated on 4/29/2025

Overall: 3.53.5

Severity: 3.73.7

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 3.53.5

Severity: 3.73.7

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

This is an enhancement request to display the fingerprints of the generated CSR when doing manual enrollment. This fingerprint is needed by the CA out of band to validate that the CSR was generated by the correct client. Since IOS CA server shows the fingerprint shows the md5 hash of just the clear text portion of a CSR, the enrollment command show both the hash of the cleartext portion and the whole pkcs10. Ideally the finger print should be shown for the commonly supported hashes: md5, sha1, sha256 An example workflow: R1(config)#crypto pki enroll ManualEnroll % Start certificate enrollment .. % The subject name in the certificate will include: cn=yahoooo % The subject name in the certificate will include: R1.cisco.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: MIIClTCCAX0CAQAwLzEQMA4GA1UEAxMHeWFob29vbzEbMBkGCSqGSIb3DQEJAhYM UjEuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlV5p UYDAyhVt4vH/8EQIfkPZaFvw2bvN86ZkN4BP/zKWQuSpTDu0Ua1vYKWh8Xf+HNZ2 5vtQgT4PK3ZeysxjOxzCc3EOaZeDqR7l3RkRufI7OWI7CHGRd8lsamk= ---End - This line not part of the certificate request--- Fingerprint of CSR: MD5 Info portion : FEA12E2A2D4448785C57745A2521ABCD MD5 Total : DED79E2A2D38B8785C57745A252196D8 SHA1 Info portion : 0BEEC7B5EA3F0FDBC95D0DD47F3C5BC275DA8A33 SHA1 Total : 18A16D4530763EF43321D306C9F6C59FFED33072 SHA256 Info portion : BB4ECA334F61AF3B67B5D528907D30285151610200539302F4C8CABE66225B53 SHA256 Total : 2C26B46B68FFC68FF99B453C1D30413413422D706483BFA0F98A5E886266E7AE Redisplay enrollment request? [yes/no]: no R1(config)#exit

Conditions

IOS Using manual enrollment for PKI

Workaround

Use OpenSSL to generate the hashes: Use "md5", "md5sum", "shasum" where appropriate Step 1) Take the CSR and remove the header and footer (The BEGIN and END CERTIFICATE REQUEST lines) and save to csr.txt Step 2) convert to binary openssl req -in csr.txt -inform PEM -out signed_pkcs10.bin -outform DER Step 3) compute signed csr fingerprint md5sum signed_pkcs10.bin Step 4) compute unsigned csr fingerprint openssl asn1parse -in csr.txt -strparse 4 -out unsigned_pkcs10.bin md5sum unsigned_pkcs10.bin

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvx68663

ENH: Display CSR fingerprint along with CSR

Cisco - Defect ID: CSCvx68663

ENH: Display CSR fingerprint along with CSR

Last updated on 4/29/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?