RSA key pairs are used to sign and encrypt IKE key management
messages and are required before obtaining a certificate for the router.
Use the crypto key generate rsa global configuration
command to generate RSA key pairs
.
By
default, RSA key pairs do not exist. If the usage-keys
option is not used in the command, general-purpose keys are generated. RSA keys
are generated in pairs consisting of one public RSA key and one private RSA
key. If the router already has RSA keys when this command is issued, the router
warns and prompts the administrator to replace the existing keys with new
keys.
 |
NOTE:
Before issuing the command to generate RSA keys, make sure that the
router has a hostname and IP domain name configured. The crypto key
generate rsa command cannot be completed without a hostname and IP
domain name.
|
The keys generated by the crypto key generate rsa
command are saved in the private configuration in NVRAM, which is never
displayed to the administrator or backed up to another device.
There are
two mutually exclusive types of RSA key pairs, these are special-usage keys and
general-purpose keys. When RSA key pairs are generated, it can be indicated
whether to generate special-usage keys or general-purpose keys.
Special-usage Keys
If special-usage keys are generated, two pairs
of RSA keys are created. One pair is used with any IKE policy that specifies
RSA signatures as the authentication method, and the other pair is used with
any IKE policy that specifies RSA encrypted nonces as the authentication
method.
If both types of RSA authentication methods are present in the
IKE policies, special-usage keys may be the proffered option. With
special-usage keys, each key is not unnecessarily exposed. Without
special-usage keys, one key is used for both authentication methods, increasing
the exposure of that key.
General-purpose Keys
If
general-purpose keys are generated, only one pair of RSA keys is created. This
pair is used with IKE policies specifying either RSA signatures or RSA
encrypted nonces. Therefore, a general-purpose key pair might get used more
frequently than a special-usage key pair.
When RSA keys are generated,
the administrator is prompted to enter a modulus length, as shown in Figure
. A
longer modulus could offer stronger security, but takes longer to generate and
also takes longer to use. A modulus below 512 is normally not recommended.
Cisco recommends using a minimum modulus of 1024.