How to Generate RSA Key Pairs for Cisco ASR Routers
RSA key pairs are essential for securing SSH connections and PKI certificates on Cisco ASR routers. RSA keys are generated in pairs: one public key and one private key. The public key can be shared with others, while the private key must be kept secret. In this article, we will show you how to generate RSA key pairs for Cisco ASR routers using the crypto key generate rsa command.
Steps to Generate RSA Key Pairs for Cisco ASR Routers
Enter global configuration mode by typing enable and configure terminal.
Create a trustpoint name for your RSA key pair by typing crypto pki trustpoint name, where name is any identifier you choose.
Specify the RSA key pair to use for your trustpoint by typing rsakeypair key-label [key-size [encryption-key-size]], where key-label is the name of your RSA key pair, key-size is the modulus size of your RSA key pair in bits (default is 1024, recommended is 2048 or higher), and encryption-key-size is the modulus size of your encryption RSA key pair in bits (optional, only used if you specify usage-keys or encryption as an option for the crypto key generate rsa command).
If you want to self-sign your RSA key pair, type enrollment selfsigned. Otherwise, skip this step.
If you want to add a subject alternative name (SAN) to your RSA key pair, type subject-alt-name name, where name is the SAN you want to add. Otherwise, skip this step.
Exit the trustpoint configuration mode by typing exit.
Generate your RSA key pair by typing crypto key generate rsa [ general-keys usage-keys signature encryption ] [ label key-label ] [exportable] [ modulus modulus-size ] [ storage devicename : ] [redundancy] [ on devicename : ], where the options are as follows:
general-keys: Specifies that a general-purpose key pair will be generated, which is the default.
usage-keys: Specifies that two RSA special-usage key pairs, one encryption pair and one signature pair, will be generated.
signature: Specifies that the RSA public key generated will be a signature special usage key.
encryption: Specifies that the RSA public key generated will be an encryption special usage key.
label key-label: Specifies the name that is used for an RSA key pair when they are being exported. If a key label is not specified, the fully qualified domain name (FQDN) of the router is used.
exportable: Specifies that the RSA key pair can be exported to another Cisco device, such as a router.
modulus modulus-size: Specifies the IP size of the key modulus. By default, the modulus of a certification authority (CA) key is 1024 bits. The recommended modulus for a CA key is 2048 bits. The range of a CA key modulus is from 350 to 4096 bits.
storage devicename :: Specifies the key storage location. The name of the storage device is followed by a colon (:).
redundancy: Specifies that the key should be synchronized to the standby CA.
on devicename :: Specifies that the RSA key pair will be created on the specified device, including a Universal Serial Bus (USB) token, local disk, or NVRAM. The name of the device is followed by a colon (:). Keys created on a USB token must be aa16f39245