Security threats, as well as the cryptographic technologies tohelp protect against them, are constantly changing. For moreinformation about the latest Cisco cryptographic recommendations,see the Next Generation Encryption (NGE) whitepaper.
Before issuing this command, ensure that your router has ahostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable tocomplete the crypto key generate rsa commandwithout a hostname and IP domain name. (This situation is not truewhen you generate only a named key pair.)
This command is not saved in the router configuration; however,the RSA keys generated by this command are saved in the privateconfiguration in NVRAM (which is never displayed to the user orbacked up to another device) the next time the configuration iswritten to NVRAM.
There are two mutually exclusive types of RSA key pairs:special-usage keys and general-purpose keys. When you generate RSAkey pairs, you will be prompted to select either special-usage keysor general-purpose keys.
If you generate special-usage keys, two pairs of RSA keys willbe generated. One pair will be used with any Internet Key Exchange(IKE) policy that specifies RSA signatures as the authenticationmethod, and the other pair will be used with any IKE policy thatspecifies RSA encrypted keys as the authentication method.
If you plan to have both types of RSA authentication methods inyour IKE policies, you may prefer to generate special-usage keys.With special-usage keys, each key is not unnecessarily exposed.(Without special-usage keys, one key is used for bothauthentication methods, increasing the exposure of that key.)
If you generate general-purpose keys, only one pair of RSA keyswill be generated. This pair will be used with IKE policiesspecifying either RSA signatures or RSA encrypted keys. Therefore,a general-purpose key pair might get used more frequently than aspecial-usage key pair.
If you generate a named key pair using the key-labelargument, you mustalso specify the usage-keys keyword or the general-keys keyword. Namedkey pairs allow you to have multiple RSA key pairs, enabling theCisco IOS software to maintain a different key pair for eachidentity certificate.
When you generate RSA keys, you will be prompted to enter amodulus length. The longer the modulus, the stronger the security.However a longer modules takes longer to generate (see the tablebelow for sample times) and takes longer to use.
As of Cisco IOS Release 12.4(11)T, peer public RSA keymodulus values up to 4096 bits are automatically supported. Thelargest private RSA key modulus is 4096 bits. Therefore, thelargest RSA private key a router may generate or import is 4096bits. However, RFC 2409 restricts the private key size to 2048 bitsor less for RSA encryption. The recommended modulus for a CA is2048 bits; the recommended modulus for a client is 2048 bits.
Additional limitations may apply when RSA keys are generated bycryptographic hardware. For example, when RSA keys are generated bythe Cisco VPN Services Port Adapter (VSPA), the RSA key modulusmust be a minimum of 384 bits and must be a multiple of 64.
When you issue the crypto key generate rsa commandwith the storage devicename : keyword and argument, the RSA keys will bestored on the specified device. This location will supersede anycrypto key storage commandsettings.
As of Cisco IOS Release 12.4(11)T and later releases, you mayspecify the device where RSA keys are generated. Devices supportedinclude NVRAM, local disks, and USB tokens. If your router has aUSB token configured and available, the USB token can be used ascryptographic device in addition to a storage device. Using a USBtoken as a cryptographic device allows RSA operations such as keygeneration, signing, and authentication of credentials to beperformed on the token. The private key never leaves the USB tokenand is not exportable. The public key is exportable.
RSA keys may be generated on a configured and available USBtoken, by the use of the on devicename : keyword and argument. Keys that reside on aUSB token are saved to persistent token storage when they aregenerated. The number of keys that can be generated on a USB tokenis limited by the space available. If you attempt to generate keyson a USB token and it is full you will receive the followingmessage:
RP/0/RSP0/CPU0:asr9010#adminRP/0/RSP0/CPU0:asr9010(admin)#crypto key Long term key operationsRP/0/RSP0/CPU0:asr9010(admin)#crypto key import Import Public Keyzeroize Remove keys
RP/0/RSP0/CPU0:asr9010#confRP/0/RSP0/CPU0:asr9010(config)#crypto ca Certification authorityfips-mode Enable FIPS modegdoi Configure GDOI policyipsec Configure IPSEC policyipsec-node ipsec node global configurationisakmp Configure isakmp Optionsmap Enter a crypto map
RSA key pair needs to be generated. Use the crypto key generate rsa command to generate it. You must configure a hostname for the router using the hostname global configuration command.
Perhaps your visiting this page because you want to use the latest (as of 2015) cryptography standardsavailable - Suite-B. Perhaps you are interested in fully migrating to IKEv2. Or perhapsyou are one of the many people using the \"end of life\" Cisco IPSec VPN Client, upgraded to Windows 10,and then found the support somewhat lacking. Perhaps you have come across some articles on the Internet showing solutions, but youdon't have Cisco ISE, a RADIUS server or a certificate server, so they wont work for you. Or perhaps youjust want to keep your Cisco technology current.
The first solution you should consider is using the Cisco SSL VPN technology. It doesn't use Suite-Bcryptography, but it is much easier to setup. If you don't need super strong cryptography (and don't mindpaying the licencing cost) then you should seriously consider this option (which Google can help youfind the answers too).
You're still reading this article so that means you do want to use super strong cryptograpy or want to minimiseadditional licencing costs. This article will show you how to deploy a IKEv2 Suite-B Compliant VPN using theCisco AnyConnect client (V3.1.12020 or newer) using nothing more than a Cisco IOS router running IOS V15.4(3)M4or later. You need to be using a minimum of Windows 7 to make Suite-B work.This is perfect for small sites that are light on infrastructure.
Now we have a CA operating, we need to generate a certificate for our router to identify itself to clients.Ideally you will have a DNS entry for this, but a static IP address should also be fine. The \"IP Address\"below is the external public IPv4 address of the router.
The certificate server should now have a pending request.do show crypto pki server ca-server requestsOnce you can see the request number you can approve it.do crypto pki server ca-server grant Now wait a minute or so. You should see a message come up on the console or the log saying the certificatehas been retrieved from the CA and installed. You can check that the certificate is installed with:
We'll now install the CA certificate into new trustpoint for the user and request the certificate.crypto pki authenticate firstname.lastname@example.org pki enroll email@example.comThe certificate server should now have a pending request.do show crypto pki server ca-server requestsOnce you can see the request number you can approve it.do crypto pki server ca-server grant Now wait a minute or so. You should see a message come up on the console or the log saying the certificatehas been retrieved from the CA and installed. You can check that the certificate is installed with:
Simple answer... it's not possible to get at the keys directly. They're stored in the nvram private-config which is not user accessible. If the key was generated in the default fashion, then it wasn't set as exportable, and thus cannot be retrieved.
4) Install XR packages: Here starts the real fun. After software has been successfully installed and committed, the router initiates the request to download the 'ZTP.sh' script (check below for more info about ZTP script) from HTTP server (assuming the script has been uploaded upfront). This is a Linux based bash script, as such it runs on the integrated Linux shell environment in IOS-XR platform. And, as you will see below, the script contains all the necessary informations about the location of the packages (such as; OSPF, ISIS, MPLS, etc), downloading and installing them one-by-one automatically, including the possibility to generate the crypto keys for SSH purposes.
login on-failure loglogin on-success loglogin delay 1logging buffered 16777216 informationalaaa authentication attempts login 3ip domain name yourCompany.comip ssh source-interface Loopback0ip ssh version 2ip ssh logging eventsip ssh authentication-retries 2ip ssh dh min size 4096! SSH algorithms used below may vary depending on your IOS/IOS-XE versionip ssh server algorithm publickey rsa-sha2-512 ecdsa-sha2-nistp384ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512ip ssh server algorithm encryption aes256-gcm aes256-cbc aes256-ctrip ssh server algorithm kex ecdh-sha2-nistp384 ecdh-sha2-nistp521! Generate a strong key for use with SSH, either using the RSA or ECC command belowcrypto key generate rsa modulus 4096crypto key generate ec keysize 384
Generate an RSA crypto key. Generating a key pair on the IOS device automatically enables SSH. When you generate an RSA key, you are prompted to enter a modulus length. A longer modulus length takes longer to generate, but it is more secure. You generate an RSA key with the crypto key generate rsa command. 153554b96e