Configure CA Support on a Cisco Router
Step 4 – generate an RSA key pair

RSA key pairs are used to sign and encrypt IKE key management messages and are required before obtaining a certificate for the router.

Use the crypto key generate rsa global configuration command to generate RSA key pairs .

By default, RSA key pairs do not exist. If the usage-keys option is not used in the command, general-purpose keys are generated. RSA keys are generated in pairs consisting of one public RSA key and one private RSA key. If the router already has RSA keys when this command is issued, the router warns and prompts the administrator to replace the existing keys with new keys.

NOTE:

Before issuing the command to generate RSA keys, make sure that the router has a hostname and IP domain name configured. The crypto key generate rsa command cannot be completed without a hostname and IP domain name.

The keys generated by the crypto key generate rsa command are saved in the private configuration in NVRAM, which is never displayed to the administrator or backed up to another device.

There are two mutually exclusive types of RSA key pairs, these are special-usage keys and general-purpose keys. When RSA key pairs are generated, it can be indicated whether to generate special-usage keys or general-purpose keys.

Special-usage Keys
If special-usage keys are generated, two pairs of RSA keys are created. One pair is used with any IKE policy that specifies RSA signatures as the authentication method, and the other pair is used with any IKE policy that specifies RSA encrypted nonces as the authentication method.

If both types of RSA authentication methods are present in the IKE policies, special-usage keys may be the proffered option. With special-usage keys, each key is not unnecessarily exposed. Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.

General-purpose Keys
If general-purpose keys are generated, only one pair of RSA keys is created. This pair is used with IKE policies specifying either RSA signatures or RSA encrypted nonces. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.

When RSA keys are generated, the administrator is prompted to enter a modulus length, as shown in Figure . A longer modulus could offer stronger security, but takes longer to generate and also takes longer to use. A modulus below 512 is normally not recommended. Cisco recommends using a minimum modulus of 1024.