Cisco ASA Site-to-Site IPsec VPN Digital Certificates

Hello Gary

According to this Cisco command line reference for the ASA, it states the following:

For SSH, existing smaller keys can continue to be used after upgrading to 9.16, but we recommend that you upgrade to a larger size, or to a higher security key type. For other features, these RSA keys cannot be used in 9.16 and later. You can use the crypto ca permit-weak-crypto command to allow use of existing smaller keys, but even with this command, you cannot generate new smaller RSA keys.

Due to the smaller size of keys used in versions prior to 9.16, your upgrade to 9.16 has rendered them unusable. You will have to recreate those keys in order to get it to work. Alternatively, you can use the crypto ca permit-weak-crypto command as suggested above, but it is not recommended.

I hope this has been helpful!