Cisco crypto key generate rsa

Find a Cisco Partner

Become a Cisco Partner


Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

crypto key generate rsa

View with Adobe Reader on numerous gadgets


crypto key generate rsa

To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa commandinglobal configuration mode.

crypto key generate rsa [ general-keys that a preferred-purpose key pair may be generated, that is the default.

(Optional) Specifies that RSA unique-utilization key pairs, one encryption pair and one signature pair, could be generated.

(Optional) Specifies that the choices RSA public key generated might be a signature unique usage key.

(Optional) Specifies that the choices RSA public key generated will be an encryption unique utilization key.

(Optional) Specifies the name this is used for an RSA key pair while they are being exported.

If a key label isn’t certain, the choices fully certified domain call (FQDN) of the choices router is used.

(Optional) Specifies that the RSA key pair can be exported to another Cisco device, including a router.

(Optional) Specifies the IP length of the key modulus.

By default, the choices modulus of a certification authority (CA) secret’s 1024 bits. The endorsed modulus for a CA secret is 2048 bits. The range of a CA key modulus is from 350 to 4096 bits.

Effective with Cisco IOS XE Release 2.four and Cisco IOS Release 15.1(1)T, the choices maximum key size was accelerated to 4096 bits for personal key operations. The maximum for private key operations prior to those releases turned into 2048 bits.

(Optional) Specifies the choices key storage place. The name of the storage tool is accompanied by using a colon (:).

(Optional) Specifies that the key ought to be synchronized to the standby CA.

(Optional) Specifies that the choices RSA key pair will be created on the specified tool, along with a Universal Serial Bus (USB) token, neighborhood disk, or NVRAM. The call of the choices device is observed with the aid of a colon (:).

Keys created on a USB token need to be 2048 bits or much less.

Command Default

RSA key pairs do no longer exist.

Command Modes

This command was delivered.

The key-label argumentwas introduced.

The exportable key-word turned into introduced.

This command turned into integrated into Cisco IOS Release 12.2(18)SXD.

The storage key-word and devicename : argument were added.

This command turned into incorporated into Cisco IOS Release 12.2(33)SRA.

The storage keyword and devicename : argument have been applied on the Cisco 7200VXR NPE-G2 platform.

The signature, encryption and on key phrases and devicename : argument have been introduced.

Support for IPv6 Secure Neighbor Discovery (SeND) was introduced.

The most RSA key size became extended from 2048 to 4096 bits for non-public key operations.

This command become changed. The redundancy keyword changed into brought.

This command changed into modified. The variety cost for the modulus key-word cost is extended from 360 to 2048 bits to 360 to 4096 bits.

This command became implemented on the Cisco ME 2600X Series Ethernet Access Switches.

Usage Guidelines

Security threats, in addition to the choices cryptographic technology to help guard against them, are continuously converting. For extra records approximately the choices latest Cisco cryptographic hints, see the choices Next Generation Encryption (NGE) white paper.

Use this command to generate RSA key pairs for your Cisco tool (consisting of a router).

RSA keys are generated in pairs–one public RSA key and one personal RSA key.

If your router already has RSA keys whilst you problem this command, you will be warned and brought on to replace the existing keys with new keys.

Before issuing this command, ensure that your router has a hostname and IP domain name configured (with the choices hostname and ip domain-name instructions). You could be not able to finish the choices crypto key generate rsa command with out a hostname and IP domain name. (This state of affairs isn’t proper when you generate best a named key pair.)

Secure Shell (SSH) may additionally generate an additional RSA key pair in case you generate a key pair on a router having no RSA keys. The extra key pair is used handiest via SSH and could have a name inclusive of router_FQDN .server. For example, if a router call is “,” the key name is “”

This command is not saved within the router configuration; however, the RSA keys generated with the aid of this command are saved inside the non-public configuration in NVRAM (that’s never displayed to the user or subsidized up to every other device) the next time the configuration is written to NVRAM.

If the choices configuration isn’t saved to NVRAM, the generated keys are lost on the following reload of the choices router.

There are together distinct types of RSA key pairs: unique-utilization keys and widespread-purpose keys. When you generate RSA key pairs, you may be precipitated to choose either special-utilization keys or popular-motive keys.

If you generate unique-usage keys, two pairs of RSA keys can be generated. One pair could be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the choices authentication approach, and the alternative pair may be used with any IKE coverage that specifies RSA encrypted keys as the choices authentication method.

A CA is used simplest with IKE regulations specifying RSA signatures, now not with IKE regulations specifying RSA-encrypted nonces. (However, you can specify more than one IKE policy and have RSA signatures laid out in one policy and RSA-encrypted nonces in every other policy.)

If you propose to have both sorts of RSA authentication techniques for your IKE guidelines, you can favor to generate unique-utilization keys. With unique-usage keys, each key isn’t unnecessarily uncovered. (Without special-utilization keys, one secret’s used for each authentication strategies, increasing the exposure of that key.)

If you generate trendy-cause keys, handiest one pair of RSA keys can be generated. This pair could be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a fashionable-purpose key pair might get used more frequently than a unique-utilization key pair.

If you generate a named key pair the use of the choices key-labelargument, you need to also specify the usage-keys keyword or the overall-keys key-word. Named key pairs can help you have multiple RSA key pairs, permitting the choices Cisco IOS software to preserve a unique key pair for every identity certificate.

When you generate RSA keys, you’ll be triggered to go into a modulus period. The longer the choices modulus, the more potent the security. However a longer modules takes longer to generate (see the desk under for sample instances) and takes longer to use.

Cisco IOS software does not guide a modulus more than 4096 bits. A length of less than 512 bits is usually now not encouraged. In certain conditions, the shorter modulus may not feature well with IKE, so we recommend using a minimal modulus of 2048 bits.

As of Cisco IOS Release 12.four(eleven)T, peer public RSA key modulus values up to 4096 bits are mechanically supported. The biggest private RSA key modulus is 4096 bits. Therefore, the largest RSA non-public key a router can also generate or import is 4096 bits. However, RFC 2409 restricts the private key size to 2048 bits or much less for RSA encryption. The recommended modulus for a CA is 2048 bits; the endorsed modulus for a patron is 2048 bits.

Additional obstacles may also follow while RSA keys are generated by using cryptographic hardware. For instance, when RSA keys are generated by the choices Cisco VPN Services Port Adapter (VSPA), the choices RSA key modulus should be at the least 384 bits and should be a more than one of 64.

Specifying a Storage Location for RSA Keys

When you issue the choices crypto key generate rsa command with the storage devicename : key-word and argument, the choices RSA keys might be saved on the desired tool. This location will supersede any crypto key garage command settings.

Specifying a Device for RSA Key Generation

As of Cisco IOS Release 12.four(eleven)T and later releases, you may specify the tool in which RSA keys are generated. Devices supported encompass NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token may be used as cryptographic device further to a garage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be achieved on the token. The personal key never leaves the USB token and isn’t always exportable. The public secret’s exportable.

RSA keys can be generated on a configured and available USB token, by using the usage of the choices on devicename : key-word and argument. Keys that reside on a USB token are saved to persistent token storage while they are generated. The number of keys that may be generated on a USB token is limited by using the distance to be had. If you try and generate keys on a USB token and it’s far complete you will get hold of the following message:

Key deletion will cast off the keys saved on the choices token from persistent storage right away. (Keys that do not are living on a token are stored to or deleted from nontoken storage places while the choices copyor similar command is issued.)

For data on configuring a USB token, see “ Storing PKI Credentials ” chapter within the Cisco IOS Security Configuration Guide, Release 12.4T. For records on the use of on-token RSA credentials, see the choices “ Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment ” bankruptcy inside the Cisco IOS Security Configuration Guide , Release 12.4T.

Specifying RSA Key Redundancy Generation on a Device

You can specify redundancy for present keys best if they’re exportable.

The following example generates a popular-usage 1024-bit RSA key pair on a USB token with the choices label “ms2” with crypto engine debugging messages shown:

Now, the on-token keys categorized “ms2” may be used for enrollment.

The following instance generates unique-utilization RSA keys:

The following example generates popular-motive RSA keys:

You can not generate each special-utilization and general-motive keys; you can generate handiest one or the other.

The following instance generates the overall-motive RSA key pair “exampleCAkeys”:

The following instance specifies the choices RSA key storage area of “usbtoken0:” for “tokenkey1”:

crypto key generate rsa widespread-keys label tokenkey1 garage usbtoken0:

The following example specifies the redundancy key-word:

The name for the choices keys may be: MYKEYS

Choose the size of the choices key modulus within the variety of 360 to 2048 to your

General Purpose Keys. Choosing a key modulus extra than 512 may take

How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys may be non-exportable with redundancy…[OK]

Related Commands

Copies any record from a source to a destination, use the replica command in privileged EXEC mode.

Sets the default garage location for RSA key pairs.

Displays debug messages about crypto engines.

Specifies or modifies the hostname for the choices network server.

Defines a default domain call to finish unqualified hostnames (names with out a dotted-decimal area call).

display crypto key mypubkey rsa

Displays the choices RSA public keys of your router.

display crypto pki certificates

Displays records approximately your PKI certificates, certification authority, and any registration authority certificate.