Cisco Asa Certificate Validation Failed. Ee Key Is Too Small [verified]

For AnyConnect users:

Modern operating systems and newer Cisco ASA software versions (9.x and later) enforce stricter cryptographic standards to prevent "weak crypto" vulnerabilities. Legacy Certificates:

%ASA-4-713903: Group <Group1> User <[email protected]> IP <192.168.1.100> Certificate validation failed. Certificate validation failed. (EE key is too small) cisco asa certificate validation failed. ee key is too small

The ASA was configured for client certificate authentication (accidentally left on from old config) and some remote users were still using old 512-bit or 1024-bit software certificates on their laptops. When those users connected, the ASA attempted to validate their client cert and rejected it because the key size was too small. The confusing part was that the error message appeared in the log at the same time as the new server cert was installed, but it was unrelated.

: When users try to connect, the client validates the ASA's identity certificate. If the certificate's key is below the client's or the ASA's minimum threshold, the connection is terminated with a "Certificate Validation Failure". For AnyConnect users: Modern operating systems and newer

Historically, RSA 512-bit and 1024-bit keys were common. However, as computational power increased, these became vulnerable to factorization attacks. Modern security standards (NIST, NCSC, and industry best practices) mandate a minimum key length of and specific strong curves for ECC (e.g., NIST P-256 or higher).

Look for entries like:

One Monday morning, users started reporting that their AnyConnect VPN connections were failing. The ASA logs showed: