Blog: RSA

IE cannot connect to HTTPS site if the certificate is using RSA Keys greater than 1024 bits.  This was preventing me from connecting (using IE9) to a device that had self-signed certificates with 768 bit RSA keys.  The issue was not affecting Firefox browsers.

 

There are several ways to get around this limitation, but the one I used was running command “certutil -setreg chain\minRSAPubKeyBitLength 512”

 

Microsoft released a patch in August that you can read more about here: http://support.microsoft.com/kb/2661254


 

The other day I tried to take an old laptop from one of our auditors to use on an audit.  When the auditor got his new laptop he migrated his entire system partition to the new machine, then renamed the machine on the domain.  This had the effect of updating his domain machine account to the new machine, and essentially killing his old machine's ability to logon to the domain.  This might not be a huge deal, except the old machine was set up to use RSA. 

From my understanding, RSA kills access to local accounts.  So, without being able to login with local accounts or domain accounts (since the machine account was essentially removed), the old laptop was pretty useless.  To work around the authentication issue I had to have the previous owner login to the machine offline (i.e., with it unplugged from the network so cached credentials would be used).  I was then able to enroll one of my fingerprints under the auditor's account to allow me to use his old laptop offline for a few days before doing a full cleanup and rejoining the domain. 

So, the lesson to be learned is, if you are going to migrate an old system to a new system using the same old domain machine account, please go back after the process and cleanup the old machine (remove RSA, rejoin the domain, reinstall RSA) so it will be useful to the next person.


 

A couple months ago, I had a user who was having problems with the RSA SecurID App on the iphone.  For some reason, his PIN was not hidden after he typed it in.  I found out there is a small “i” in the bottom right hand corner of the app, and if you open it up, there is a little slide-bar that you can move to hide/unhide the PIN.


 

If you need to connect to a VPN that uses RSA’s SecurID authentication and if you are using the RSA SecurID App on the iPhone it can be tricky entering the SecurID passcode in the VPN connection dialog.  Fortunately you can copy and paste the passcode on the iPhone.  Open the RSA SecurID app and enter your PIN.  Press and hold the passcode field until the [Copy] appears.  Copy the passcode.  Initiate the VPN connection and paste the passcode in the appropriate field.


 

If you use the setup wizard for Cisco ASA appliances to allow SSH access it doesn’t auto-generate a key.  It will create the access-rules, but you still won’t be able to SSH to the firewall until the key is generated.  The quickest way to generate the key is via the command:

generate crypto key rsa modulus-size” [more]

Note: The modulus-size can be 512, 768, 1024, or 2048.  The value of 1024 is recommended.


 

The RSA iPhone app displays a PIN to use for logging into a protected server.  The displayed PIN consists of two 4-digit codes separated by a space.   When you enter the code, do not enter the space.   The RSA software wants the numbers in one continuous block.