Downloads |
Table Of Contents
Supported Standards, MIBs, and RFCs
Configuring RSA Key Pair Settings
Removing RSA Key Pair Settings
RSA Key Pair Settings Configuration Example
Multiple RSA Key Pair Support
Feature History
This document describes the Multiple RSA Key Pair Support feature in Cisco IOS Release 12.2(8)T. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The Multiple RSA Key Pair Support feature allows a user to configure a Cisco IOS router to have multiple Rivest, Shamir, and Adelman (RSA) key pairs. Thus, the Cisco IOS software can maintain a different key pair for each identity certificate.
Before this feature, Cisco IOS public key infrastructure (PKI) configurations allowed either one general-purpose key pair or a set of special-purpose key pairs (an encryption and a signing key pair). The scenarios in which the key pairs were deployed often required configurations that required the router to enroll with multiple certificate servers because each server has an independent policy and may also have different requirements regarding general-purpose versus special-purpose certificates or key length. With this feature, a user can configure different key pairs for each certification authority (CA) with which the router enrolls.
Benefits
The Multiple RSA Key Pair Support feature allows the Cisco IOS software to maintain a distinct key pair for each CA with which it is dealing. Thus, the Cisco IOS software can match policy requirements for each CA without compromising the requirements specified by the other CAs, such as key length, key lifetime, and general-purpose versus special-usage keys.
Restrictions
CA Enrollment
It is recommended Secure Socket Layer (SSL) or other PKI clients do not attempt to enroll with the same CA multiple times.
IKE Limitation
Internet Key Exchange (IKE) will not work for any identity that is configured to use a named key pair. If an IKE peer requests a certificate from a PKI trustpoint that is using multiple key support, the initial portion of the exchange will work; that is, the correct certificate will be sent in the certificate response. However, in this release, the named keypair will not be used and the IKE negotiation will fail.
Note
Related Documents
•
•
•
•
•
Supported Platforms
This feature runs on all platforms that support IP Security (IPSec) and PKI.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
None
Configuration Tasks
See the following sections for configuration tasks for the Multiple RSA Key Pair Support feature. Each task in the list is identified as either required or optional.
•
•
•
Configuring RSA Key Pair Settings
Whenever you regenerate a key pair, you must always reenroll the certificate identities with that key pair. To refer back to the named key pair and associate the key pair with the certificate, use the following commands beginning in global configuration mode:
Removing RSA Key Pair Settings
To delete a specified RSA key pair that has been generated by your router, use the following command in global configuration mode:
Router(config)# crypto key zeroize rsa [key-pair-label]
Deletes RSA keys from your router. If the key-pair-label argument is used, you will delete only the specified RSA key pair.
Verifying RSA Key Information
To verify RSA key information, use at least one of the following EXEC commands:
Configuration Examples
This section provides the following configuration examples:
•
RSA Key Pair Settings Configuration Example
The following example is a sample trustpoint configuration that specifies the rsa key pair "exampleCAkeys":
crypto key generate rsa general-purpose exampleCAkeyscrypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
crypto key generate rsa (CA)
To generate RSA key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [usage-keys | general-keys] [key-pair-label]
Syntax Description
Defaults
Rivest, Shamir, and Adelman (RSA) key pairs do not exist.
If key-pair-label is not specified, the fully qualified domain name (FQDN) of the router is used and general-purpose keys are generated.
Command Modes
Global configuration
Command History
11.3 T
This command was introduced.
12.2(8)T
The general-keys keyword and the key-pair-label argument were added.
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
This command is not saved in the router configuration; however, the keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device).
There are two mutually exclusive styles of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either generate special-usage keys or general-purpose keys.
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair used with any IKE policy that specifies RSA-encrypted nonces as the authentication method. (You configure RSA signatures or RSA-encrypted nonces in your IKE policies as described in the Cisco IOS Security Configuration Guide.)
A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you might prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both purposes, increasing that key's exposure.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA-encrypted nonces. Therefore, a general-purpose key pair might be used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. A longer modulus could offer stronger security but takes longer to generate (see Table 1 for sample times) and takes longer to use. A length of less than 512 bits is normally not recommended. (In certain situations, the shorter modulus may not function properly with IKE, so Cisco recommends using a minimum modulus of 1024 bits.)
Examples
The following example generates special-usage RSA keys.
crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates general-purpose RSA keys. (Note, you cannot generate both special-usage and general-purpose keys; you can generate only one or the other.)
crypto key generate rsaThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates the general-purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-purpose exampleCAkeyscrypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024
Related Commands
crypto key zeroize rsa
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode.
crypto key zeroize rsa [key-pair-label]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T
This command was introduced.
12.2(8)T
The key-pair-label argument was added.
Usage Guidelines
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted:
•
•
Note
This command is not saved to the configuration.
Examples
The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the router's certificate be revoked. The administrator then deletes the router's certificate from the configuration.
crypto key zeroize rsacrypto ca certificate chainno certificateRelated Commands
rsakeypair
To specify which key pair to associate with the certificate, use the rsakeypair command in ca-trustpoint configuration mode.
rsakeypair key-label [key-size [encryption-key-size]]
Syntax Description
Defaults
The fully qualified domain name (FQDN) key is used.
Command Modes
Ca-trustpoint Configuration
Command History
Usage Guidelines
When you regenerate a key pair, you are responsible for reenrolling the identities associated with the key pair. Use the rsakeypair command to refer back to the named key pair.
Examples
The following example is a sample trustpoint configuration that specifies the rsa key pair "exampleCAkeys":
crypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024Related Commands
auto-enroll
Enables autoenrollment.
crypto ca trustpoint
Declares the CA that your router should use.
Generates RSA key pairs.
Glossary
certification authority (CA)—A service responsible for managing certificate requests and issuing certificates to participating IPSec network devices. This service provides centralized key management for the participating devices and is explicitly entrusted by the receiver to validate identities and to create digital certificates.
enrollment—The process of obtaining a new certificate from a CA.
general-purpose keys—Key pairs that are used for signing key management messages and encrypting key management messages.
Internet Key Exchange (IKE)—A hybrid protocol that implements Oakley key exchange and Skeme key exchange inside the ISAKMP framework. Although IKE can be used with other protocols, its initial implementation is with IPSec. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
IP Security (IPSec)—A framework of open standards developed by the Internet Engineering Task Force (IETF). IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices ("peers"), such as Cisco routers
peer certificate—The certificate presented by a peer, which contains the peer's public key and is signed by the peer's identity CA.
public key infrastructure (PKI)—Provides trusted and efficient key and certificate management to support security protocols such as IPSec.
RSA keys—RSA keys come in pairs—one public key and one private key—and are used to sign and encrypt IKE key management messages and are required before you can obtain a certificate for your router.
special-usage keys—A dual key pair; one set is used for encryption tasks and the other set is used for signing tasks.
trustpoint ca—A CA that combines and replaces the functionality of the identity CA (which uses its own certificate to sign the certificate of a router, thereby validating the identity of the router) and root CA (which has a self-signed certificate that contains its own public key).
