When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys. There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. If the configuration is not saved to NVRAM, the generated keys are lost on the next reload of the router. This command is not saved in the router configuration however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM. For example, if a router name is “,” the key name is “.” The additional key pair is used only by SSH and will have a name such as. Secure Shell (SSH) may generate an additional RSA key pair if you generate a key pair on a router having no RSA keys. (This situation is not true when you generate only a named key pair.) You will be unable to complete theĬrypto key generate rsa command without a hostname and IP domain name. If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.īefore issuing this command, ensure that your router has a hostname and IP domain name configured (with the ![]() RSA keys are generated in pairs-one public RSA key and one private RSA key. Use this command to generate RSA key pairs for your Cisco device (such as a router). Next Generation Encryption (NGE) white paper. For more information about the latest Cisco cryptographic recommendations, see the Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches. Modulus keyword value is extended from 360 to 2048 bits to 360 to 4096 bits. The maximum RSA key size was expanded from 2048 to 4096 bits for private key operations. Support for IPv6 Secure Neighbor Discovery (SeND) was added. Storage keyword and devicename : argument were implemented on the Cisco 7200VXR NPE-G2 platform. This command was integrated into Cisco IOS Release 12.2(33)SRA. Storage keyword and devicename : argument were added. This command was integrated into Cisco IOS Release 12.2(18)SXD. Keys created on a USB token must be 2048 bits or less. The name of the device is followed by a colon (:). (Optional) Specifies that the RSA key pair will be created on the specified device, including a Universal Serial Bus (USB) token, local disk, or NVRAM. (Optional) Specifies that the key should be synchronized to the standby CA. The name of the storage device is followed by a colon (:). (Optional) Specifies the key storage location. The maximum for private key operations prior to these releases was 2048 bits. ![]() The range of a CA key modulus is from 350 to 4096 bits.Įffective with Cisco IOS XE Release 2.4 and Cisco IOS Release 15.1(1)T, the maximum key size was expanded to 4096 bits for private key operations. The recommended modulus for a CA key is 2048 bits. (Optional) Specifies the IP size of the key modulus.īy default, the modulus of a certification authority (CA) key is 1024 bits. (Optional) Specifies that the RSA key pair can be exported to another Cisco device, such as a router. If a key label is not specified, the fully qualified domain name (FQDN) of the router is used. (Optional) Specifies the name that is used for an RSA key pair when they are being exported. (Optional) Specifies that the RSA public key generated will be an encryption special usage key. (Optional) Specifies that the RSA public key generated will be a signature special usage key. (Optional) Specifies that two RSA special-usage key pairs, one encryption pair and one signature pair, will be generated. (Optional) Specifies that a general-purpose key pair will be generated, which is the default. To generate Rivest, Shamir, and Adelman (RSA) key pairs, use theĬrypto key generate rsa command in global configuration mode.
0 Comments
Leave a Reply. |