Transcription of crypto key generate rsa - Cisco
1 crypto key generate rsa crypto key generatersa, page 2 Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE ( catalyst 3850 Switches) 1crypto key generate rsaTogenerateRivest,Shamir,andAdelman(RS A)keypairs, generatersa[general-keys| usage-keys| signature| encryption] [labelkey-label][exportable][modulusmodu lus-size] [storagedevicename:][redundancy][ondevic ename:]Syntax Description(Optional)Specifiesthat a general-purposekey pairwill be generated,which is the (Optional)SpecifiesthattwoRSAspecial-usa gekeypairs,oneencryptionpairandonesignat urepair,willbe (Optional)Specifiesthat the RSA public keygeneratedwill be a signaturespecialusage (Optional)Specifiesthat the RSA public keygeneratedwill be an encryptionspecialusage (Optional)Specifiesthenamethatisusedfora nRSAkey pair when they are being a key label is not specified,the fully qualifieddomainname (FQDN)of the router is (Optional)
2 Specifiesthat the RSA key pair can beexportedto anotherCisco device,such as a (Optional)Specifiesthe IP size of the key default,the modulusof a certificationauthority(CA) key is 1024 bits. The recommendedmodulusfor a CA key is 2048 bits. The range of a CA keymodulusis from 350 to 4096 Cisco IOS XE Cisco IOS (1)T, themaximumkey size was expandedto 4096bits for privatekey privatekey operationspriorto these releaseswas 2048 (Optional)Specifiesthe key (:).storagedevicename:(Optional)Specifie sthat the key shouldbesynchronizedto the Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE ( catalyst 3850 Switches)2crypto key generate rsacrypto key generate rsa(Optional)Specifiesthat the RSA key pair will becreatedonthespecifieddevice,includinga UniversalSerialBus(USB)token,localdisk, of the device is followedby a colon (:).
3 Keys createdon a USB token must be 2048 bits :Command DefaultRSA key pairs do not ModesGlobalconfigurationCommand HistoryModificationReleaseThis commandwas (8)TTheexportablekeywordwas (15)TThis commandwas integratedinto Cisco IOS (18) (18)SXDT hestoragekeywordanddevicename:argumentwe re (4)TThis commandwas integratedinto Cisco IOS (33) (33)SRAT hestoragekeywordanddevicename:argumentwe re implementedon theCisco ,encryptionandonkeywordsanddevicename:ar gumentwere (11)TSupportfor IPv6 SecureNeighborDiscovery(SeND)was (24)TThemaximumRSAkeysizewasexpandedfrom 2048to4096bitsforprivatekey commandwas (1)MThis commandwas range value for themoduluskeywordvalue is extendedfrom 360 to 2048 bits to 360 to 4096 (1)TThis commandwas implementedon the Cisco ME 2600 XSeries (2)SA2 Cisco IOS Security Command Reference.
4 Commands A to C, Cisco IOS XE Release 3SE ( catalyst 3850 Switches) 3crypto key generate rsacrypto key generate rsaUsage GuidelinesSecuritythreats,as well as the cryptographictechnologiesto help protectagainstthem, are more informationabout the latest Cisco cryptographicrecommendations,see the NextGenerationEncryption(NGE)white this commandto generateRSA key pairs for your Cisco device (such as a router).RSA keys are generatedin pairs--onepublic RSA key and one privateRSA your router alreadyhas RSA keys when you issue this command,you will be warnedand promptedtoreplacethe existingkeys with new command,ensure that your router has a hostnameand IP domainname configured(with thehostnameandip domain-namecommands).
5 You will be unableto completethecryptokeygeneratersacommandwi thouta hostnameand IP domainname. (This situationis not true when yougenerateonly a namedkey pair.)NoteSecureShell(SSH)maygenerateana dditionalRSAkeypairifyougenerateakeypair onarouterhavingno RSA keys. The additionalkey pair is used only by SSH and will have a name such as {router_FQDN}. ,ifarouternameis , thekeynameis NoteThis commandis not saved in the router configuration;however, the RSA keys generatedby this commandaresavedintheprivateconfiguration inNVRAM(whichisneverdisplayedtotheuseror backeduptoanotherdevice)the next time the configurationis writtento the configurationis not saved to NVRAM,the generatedkeys are lost on the next reload of the , you generatespecial-usagekeys, two pairs of RSA keys will be pair will be used with anyInternetKeyExchange(IKE)
6 PolicythatspecifiesRSAsignaturesastheaut henticationmethod,andtheotherpair will be used with any IKE policy that specifiesRSA encryptedkeys as the CA is used only with IKE policiesspecifyingRSA signatures,not with IKE policiesspecifyingRSA-encryptednonces.(H owever, you could specifymore than one IKE policy and have RSA signaturesspecifiedin one policy and RSA-encryptednoncesin anotherpolicy.)Ifyouplantohavebothtypeso fRSAauthenticationmethodsinyourIKEpolici es,youmayprefertogeneratespecial-usageke ys. With special-usagekeys, each key is not unnecessarilyexposed.(Without special-usagekeys, one key is used for both authenticationmethods,increasingthe exposureof that key.)
7 General-PurposeKeys Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE ( catalyst 3850 Switches)4crypto key generate rsacrypto key generate rsaIf you generategeneral-purposekeys, only one pair of RSA keys will be pair will be ,ageneral-purposekeypair might get used more frequentlythan a special-usagekey PairsIfyougenerateanamedkeypairusingthek ey-labelargument, ,enablingtheCiscoIOS softwareto maintaina different key pair for each you generateRSA keys, you will be promptedto enter a longer the modulus,thestrongerthe security. Howevera longer modulestakes longer to generate (see the table below for sampletimes) and takes longer to 1: Sample Times by Modulus Length to generate RSA Keys2048 bits (maximum)1024 bits512 bits360 bitsRouterMore than 1 hour4 minutes,38seconds20 seconds11 secondsCisco 250050 seconds4 seconds1 secondLess than 1 secondCisco certainsituations,the shortermodulusmay not functionproperlywith IKE, so werecommendusing a minimummodulusof 2048 (11)T, largest privateRSA key modulusis 4096 bits.
8 Therefore,the largest RSA privatekey arouter may generateor importis 4096 bits. However, RFC 2409 restrictsthe privatekey size to 2048 ;therecommendedmodulusfor a client is 2048 apply when RSA keys are generatedby example,when RSA keys are generatedby the Cisco VPN ServicesPort Adapter(VSPA), the RSA key modulusmustbe a minimumof 384 bits and must be a multipleof StorageLocationfor RSA KeysWhenyouissuethecryptokeygeneratersac ommandwiththestoragedevicename:keywordan dargument,the RSA keys will be stored on the locationwill supersedeanycryptokey Devicefor RSA Key GenerationAs of Cisco IOS (11)T and later releases,you may specifythe device where RSA keys ,local disks, and USB your router has a USB tokenconfiguredand available,the USB token can be used as cryptographicdevice in additionto a a USB token as a cryptographicdevice allows RSA operationssuch as key generation,signing,andauthenticationof credentialsto be performedon the token.
9 The privatekey never leaves the USB token andis not public key is IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE ( catalyst 3850 Switches) 5crypto key generate rsacrypto key generate rsaRSA keys may be generatedon a configuredand availableUSB token, by the use of theondevicename:keywordand that reside on a USB token are saved to persistenttoken storagewhen they numberof keys that can be generatedon a USB token is limitedby the space youattemptto generatekeys on a USB token and it is full you will receivethe followingmessage:% Errorin generatingkeys:noavailableresourcesKey deletionwill removethe keys stored on the token from persistentstorageimmediately.
10 (Keys that do notreside on a token are saved to or deletedfrom nontokenstoragelocationswhen thecopyor similarcommandis issued.)ForinformationonconfiguringaUSBt oken,see StoringPKIC redentials chapterintheCiscoIOSS ecurityConfigurationGuide, ,seethe Configuringand Managinga Cisco IOS CertificateServer for PKI Deployment chapterin the Cisco IOS SecurityConfigurationGuide , Key RedundancyGenerationon a DeviceYou can specifyredundancyfor existingkeys only if they are ms2 with crypto enginedebuggingmessagesshown:Router(conf ig)#cryptokey generatersa label ms2 modulus2048 on usbtoken0:The namefor the keyswillbe: ms2% The key modulussizeis 2048bits% Generating1024bit RSA keys,keyswillbe on-token, 7 02:41 :crypto_engine.
