Downloads |
 Feedback
|
Table Of Contents
Prerequisites for Storing PKI Credentials
Restrictions for Storing PKI Credentials
Information About Storing PKI Credentials
Storing Certificates to a Local Storage Location
PKI Credentials and USB Tokens
Specifying a Local Storage Location for Certificates
Setting Up and Using USB Tokens on Cisco Routers
Storing the Configuration on a USB Token
Logging Into and Setting Up the USB Token
Setting Administrative Functions on the USB Token
The show usb controllers Command
Configuration Examples for PKI Storage
Storing Certificates to a Specific Local Storage Location: Example
Logging Into a USB Token and Saving RSA Keys to the USB Token: Example
Feature Information for Storing PKI Credentials
Storing PKI Credentials
First Published: May 2, 2005Last Updated: March 11, 2011This module explains how to store public key infrastructure (PKI) credentials, such as Rivest, Shamir, and Adelman (RSA) keys and certificates in a specific location.
An example of a certificate storage location includes NVRAM, which is the default location, and other local storage locations, such as flash, as supported by your platform.
An example of an RSA key and certificate storage location includes a USB token. Selected Cisco platforms support smart card technology in a USB key form factor (such as an Aladdin USB eToken key). USB tokens provide secure configuration distribution, provide RSA operations such as on-token key generation, signing, and authentication, and allow users to store Virtual Private Network (VPN) credentials for deployment.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Storing PKI Credentials" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Storing PKI Credentials
•
•
•
•
Prerequisites for Storing PKI Credentials
Prerequisites for Specifying a Local Certificate Storage Location
Before you can specify the local certificate storage location, your system should meet the following requirements:
•
•
•
•
Prerequisites for Specifying USB Token Storage for PKI Credentials
Before you can use a USB token, your system should meet the following requirements:
•
•
•
•
Restrictions for Storing PKI Credentials
Restrictions for Specifying a Local Certificate Storage Location
When storing certificates to a local storage location, the following restrictions are applicable:
•
•
Restrictions for Specifying USB Token Storage
When using a USB token to store PKI data, the following restrictions are applicable:
•
•
•
Information About Storing PKI Credentials
To determine where to store PKI credentials, you should understand the following concepts:
•
•
Storing Certificates to a Local Storage Location
Certificates are stored to NVRAM by default, however some routers do not have the required amount of NVRAM to successfully store certificates. Introduced in Cisco IOS Release 12.4(2)T is the ability to specify where certificates are stored on a local file system.
All Cisco platforms support NVRAM and flash local storage. Depending on your platform, you may have other supported local storage options including bootflash, slot, disk, USB flash, or USB token.
During run time, you can specify what active local storage device you would like to use to store certificates.
PKI Credentials and USB Tokens
To use a secure USB token on your router, you should understand the following concepts:
How a USB Token Works
A smart card is a small plastic card, containing a microprocessor and memory that allows you to store and process data. A USB token is a smart card with a USB interface. The token can securely store any type of file within its available storage space (32 KB). Configuration files that are stored on the USB token can be encrypted and accessed only via a user PIN. The router will not load the configuration file unless the proper PIN has been configured for secure deployment of router configuration files.
After you plug the USB token into the router, you must log into the USB token; thereafter, you can change default settings, such as the user PIN (default: 1234567890) and the allowed number of failed login attempts (default: 15 attempts) before future logins are refused. For more information on accessing and configuring the USB token, see the section "Logging Into and Setting Up the USB Token."
After you have successfully logged into the USB token, you can copy files from the router on to the USB token via the copy command. USB token RSA keys and associated IPsec tunnels remain available until the router is reloaded. To specify the length of time before the keys are removed and the IPsec tunnels are torn down, issue the crypto pki token removal timeout command. The default timeout is zero, which causes the RSA keys to be removed automatically after the eToken is removed from the router. The default appears in the running configuration as:
crypto pki token default removal timeout 0Table 1 highlights the capabilities of the USB token.
Benefits of USB Tokens
USB token support on a Cisco router provides the following application benefits:
Removable Credentials: Provide or Store VPN Credentials on an External Device for Deployment
A USB token can use smart card technology to store a digital certificate and configuration for IPsec VPN deployment. This ability enhances the capability of the router to generate RSA public keys to authenticate at least one IPsec tunnel. (Because a router can initiate multiple IPsec tunnels, the USB token can contain several certificates, as appropriate.)
Storing VPN credentials on an external device reduces the threat of compromising secure data.
PIN Configuration for Secure File Deployment
A USB token can store a configuration file that can be used for enabling encryption on the router via a user-configured PIN. (That is, no digital certificates, preshared keys, or VPNs are used.)
Touchless or Low Touch Configuration
The USB token can provide remote software configuration and provisioning with little or no human interaction. Configuration is set up as an automated process. That is, the USB token can store a bootstrap configuration that the router can use to boot from after the USB token has been inserted into the router. The bootstrap configuration connects the router to a TFTP server, which contains a configuration that completely configures the router.
RSA Operations
As of Cisco IOS Release 12.4(11)T and later releases, a USB token may be used as a cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication to be performed on the token.
General-purpose, special-usage, encryption, or signature RSA key pairs with a modulus of 2048 bits or less may be generated from credentials located on your token storage device. Private keys are not distributed and remain on the token by default, however you may configure the private key storage location.
Keys that reside on a USB token are saved to persistent token storage when they are generated. Key deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from nontoken storage locations when the write memory or a similar command is issued.)
Remote Device Configuration and Provisioning in a Secure Device Provisioning (SDP) Environment
As of Cisco IOS Release 12.4(15)T and later releases, SDP may be used to configure a USB token. The configured USB token may be transported to provision a device at a remote location. That is, a USB token may be used to transfer cryptographic information from one network device to another remote network device providing a solution for a staged USB token deployment.
For information about using USB tokens with SDP, see document titles in the "Related Documents" section.
How to Configure PKI Storage
•
•
Specifying a Local Storage Location for Certificates
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Examples
The following is sample output for the show crypto pki certificates storage command where the certificates are stored in the certs subdirectory of disk0:
Router# show crypto pki certificates storageCertificates will be stored in disk0:/certs/Setting Up and Using USB Tokens on Cisco Routers
This section contains the following procedures that allow you to configure a router to support USB tokens:
•
•
•
Storing the Configuration on a USB Token
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Logging Into and Setting Up the USB Token
Perform this task to log into and to perform the initial set up of a USB token.
Use of RSA Keys with a USB Token
•
•
Automatic Login
Automatic login allows the router to completely come back up without any user or operator intervention. The PIN is stored in the private NVRAM, so it is not visible in the startup or running configuration.
Note
Manual Login
Unlike automatic login, manual login requires that the user know the actual USB token PIN.
Manual login can be used when storing a PIN on the router is not desirable. Manual login may also be suitable for some initial deployment or hardware replacement scenarios for which the router is obtained from the local supplier or drop-shipped to the remote site. Manual login can be executed with or without privileges, and it will make files and RSA keys on the USB token available to the Cisco IOS software. If a secondary configuration file is configured, it will be executed only with the privileges of the user who is performing the login. Thus, if you want to use manual login and set up the secondary configuration on the USB token to perform anything useful, you need to enable privileges.
Manual login can also be used in recovery scenarios for which the router configuration has been lost. If the scenario contains a remote site that normally connects to the core network with a VPN, the loss of the configuration and RSA keys requires out-of-band services that the USB token can provide. The USB token can contain a boot configuration, a secondary configuration, or both, and RSA keys to authenticate the connection.
SUMMARY STEPS
1.
2.
or
configure terminal
3.
4.
5.
DETAILED STEPS
What to Do Next
After you have logged into the USB token, it is available for use.
•
•
•
•
Configuring the USB Token
After you have set up automatic login, you may perform this task to further configure the USB token.
PINs and Passphrases
For additional PIN security with automatic login, you may encrypt your PIN stored in NVRAM and set up a passphrase for your USB token. Establishing a passphrase allows you to keep your PIN secure; another user needs only to know the passphrase, not the PIN.
When the USB token is inserted into the router, the passphrase is needed to decrypt the PIN. Once the PIN is decrypted, the router can then use the PIN to login the USB token.
Note
Unlocking and Locking the USB Token
The USB token itself can be locked (encrypted) or unlocked (decrypted).
Unlocking the USB token allows it to be used. Once unlocked, Cisco IOS treats the token as if it were automatically logged in. Any keys on the USB token are loaded, and if a secondary configuration file is on the token, it is executed with full user privileges (privilege level 15) independent of the privilege level of the logged-in user.
Locking the token, unlike logging out of the token, deletes any RSA keys loaded from the token and runs the secondary unconfiguration file, if configured.
Secondary Configuration and Unconfiguration Files
Configuration files that exist on a USB token are called secondary configuration files. If you create and configure a secondary configuration file, it is executed after the token is logged in. The existence of a secondary configuration file is determined by the presence of a secondary configuration file option in the Cisco IOS configuration stored in NVRAM. When the token is removed or logged out and the removal timer expires, a separate secondary unconfiguration file is processed to remove all secondary configuration elements from the running configuration. Secondary configuration and secondary unconfiguration files are executed at privilege level 15 and are not dependent on the level of the user logged in.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
The following example shows both the configuration and encryption of a user PIN and then the router reloading and the user PIN being unlocked :
! Configuring the user PIN
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki token usbtoken0: user-pin
Enter password:
! Encrypt the user PIN
Router (config)# crypto pki token usbtoken0: encrypted-user-pin
Enter passphrase:
Router(config)# exit
Router#
Sep 20 21:51:38.076: %SYS-5-CONFIG_I: Configured from console by console
!
Router# show running config
.
.
.
crypto pki token usbtoken0 user-pin *encrypted*
.
.
.
! Reloading the router.
!
Router> enable
Password:
!
! Decrypting the user pin.
!
Router# crypto pki token usbtoken0: unlock
Token eToken is usbtoken0
!
Enter passphrase:
Token login to usbtoken0(eToken) successful
Router#
Sep 20 22:31:13.128: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken
Login Successful
The following example shows a how a secondary unconfiguration file might be used to remove secondary configuration elements from the running configuration. For example, a secondary configuration file might be used to set up a PKI trustpoint. A corresponding unconfiguration file, named mysecondaryunconfigfile.cfg, might contain this command line:
no crypto pki trustpoint token-tp
If the token were removed and the following commands executed, the trustpoint and associated certificates would be removed from the router's running configuration:
Router# configure terminal
Router(config)# no crypto pki token mytoken secondary unconfig mysecondaryunconfigfile.cfg
What to Do Next
After you have logged into and configured the USB token, it is available for use.
•
•
•
Setting Administrative Functions on the USB Token
Perform this task to change default settings, such as the user PIN, the maximum number of failed attempts on the USB token, or the credential storage location.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Troubleshooting USB Tokens
This section contains descriptions of the following Cisco IOS commands that can be used to help troubleshoot possible problems that may arise while using a USB token:
•
•
The show file systems Command
Use the show file systems command to determine whether the router recognizes that there is a USB module plugged into a USB port. The USB module should appear on the list of file systems. If the module does not appear on the list, it can indicate any of the following problems:
•
•
•
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
Router# show file systemsFile Systems:Size(b) Free(b) Type Flags Prefixes- - opaque rw archive:- - opaque rw system:- - opaque rw null:- - network rw tftp:* 129880064 69414912 disk rw flash:#491512 486395 nvram rw nvram:- - opaque wo syslog:- - opaque rw xmodem:- - opaque rw ymodem:- - network rw rcp:- - network rw pram:- - network rw ftp:- - network rw http:- - network rw scp:- - network rw https:- - opaque ro cns:63158272 33037312 usbflash rw usbflash0:32768 858 usbtoken rw usbtoken1:
The show usb device Command
Use the show usb device command to determine if a USB token is supported by Cisco.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
Router# show usb deviceHost Controller:1Address:0x11Device Configured:YESDevice Supported:YESDescription:eToken Pro 4254Manufacturer:AKSVersion:1.0Serial Number:Device Handle:0x1010000USB Version Compliance:1.0Class Code:0xFFSubclass Code:0x0Protocol:0x0Vendor ID:0x529Product ID:0x514Max. Packet Size of Endpoint Zero:8Number of Configurations:1Speed:LowSelected Configuration:1Selected Interface:0Configuration:Number:1Number of Interfaces:1Description:Attributes:NoneMax Power:60 mAInterface:Number:0Description:Class Code:255Subclass:0Protocol:0Number of Endpoints:0
The show usb controllers Command
Use the show usb controllers command to determine if there is a hardware problem with a USB flash module. If the show usb controllers command displays an error, the error indicates a hardware problem in the USB module.
You can also use the show usb controllers command to verify that copy operations onto a USB flash module are occurring successfully. Issuing the show usb controllers command after performing a file copy should display successful data transfers.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
Router# show usb controllersName:1362HCDController ID:1Controller Specific Information:Revision:0x11Control:0x80Command Status:0x0Hardware Interrupt Status:0x24Hardware Interrupt Enable:0x80000040Hardware Interrupt Disable:0x80000040Frame Interval:0x27782EDFFrame Remaining:0x13C1Frame Number:0xDA4CLSThreshold:0x628RhDescriptorA:0x19000202RhDescriptorB:0x0RhStatus:0x0RhPort1Status:0x100103RhPort2Status:0x100303Hardware Configuration:0x3029DMA Configuration:0x0Transfer Counter:0x1Interrupt:0x9Interrupt Enable:0x196Chip ID:0x3630Buffer Status:0x0Direct Address Length:0x80A00ATL Buffer Size:0x600ATL Buffer Port:0x0ATL Block Size:0x100ATL PTD Skip Map:0xFFFFFFFFATL PTD Last:0x20ATL Current Active PTD:0x0ATL Threshold Count:0x1ATL Threshold Timeout:0xFFInt Level:1Transfer Completion Codes:Success :920 CRC :0Bit Stuff :0 Stall :0No Response :0 Overrun :0Underrun :0 Other :0Buffer Overrun :0 Buffer Underrun :0Transfer Errors:Canceled Transfers :2 Control Timeout :0Transfer Failures:Interrupt Transfer :0 Bulk Transfer :0Isochronous Transfer :0 Control Transfer:0Transfer Successes:Interrupt Transfer :0 Bulk Transfer :26Isochronous Transfer :0 Control Transfer:894USBD Failures:Enumeration Failures :0 No Class Driver Found:0Power Budget Exceeded:0USB MSCD SCSI Class Driver Counters:Good Status Failures :3 Command Fail :0Good Status Timed out:0 Device not Found:0Device Never Opened :0 Drive Init Fail :0Illegal App Handle :0 Bad API Command :0Invalid Unit Number :0 Invalid Argument:0Application Overflow :0 Device in use :0Control Pipe Stall :0 Malloc Error :0Device Stalled :0 Bad Command Code:0Device Detached :0 Unknown Error :0Invalid Logic Unit Num:0USB Aladdin Token Driver Counters:Token Inserted :1 Token Removed :0Send Insert Msg Fail :0 Response Txns :434Dev Entry Add Fail :0 Request Txns :434Dev Entry Remove Fail:0 Request Txn Fail:0Response Txn Fail :0 Command Txn Fail:0Txn Invalid Dev Handle:0USB Flash File System Counters:Flash Disconnected :0 Flash Connected :1Flash Device Fail :0 Flash Ok :1Flash startstop Fail :0 Flash FS Fail :0USB Secure Token File System Counters:Token Inserted :1 Token Detached :0Token FS success :1 Token FS Fail :0Token Max Inserted :0 Create Talker Failures:0Token Event :0 Destroy Talker Failures:0Watched Boolean Create Failures:0
The dir Command
Use the dir command with the filesystem keyword option usbtoken[0-9]: to display all files, directories, and their permission strings on the USB token.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
Router# dir usbtoken1:Directory of usbtoken1:/2 d--- 64 Dec 22 2032 05:23:40 +00:00 10005 d--- 4096 Dec 22 2032 05:23:40 +00:00 10018 d--- 0 Dec 22 2032 05:23:40 +00:00 100210 d--- 512 Dec 22 2032 05:23:42 +00:00 100312 d--- 0 Dec 22 2032 05:23:42 +00:00 500013 d--- 0 Dec 22 2032 05:23:42 +00:00 600014 d--- 0 Dec 22 2032 05:23:42 +00:00 700015 ---- 940 Jun 27 1992 12:50:42 +00:00 mystartup-config16 ---- 1423 Jun 27 1992 12:51:14 +00:00 myrunning-config32768 bytes total (858 bytes free)The following sample output displays directory information for all devices the router is aware of:
Router# dir all-filesystemsDirectory of archive:/No files in directoryNo space information availableDirectory of system:/2 drwx 0 <no date> its115 dr-x 0 <no date> lib144 dr-x 0 <no date> memory1 -rw- 1906 <no date> running-config114 dr-x 0 <no date> vfilesNo space information availableDirectory of flash:/1 -rw- 30125020 Dec 22 2032 03:06:04 +00:00 c3825-entservicesk9-mz.123-14.T129880064 bytes total (99753984 bytes free)Directory of nvram:/476 -rw- 1947 <no date> startup-config477 ---- 46 <no date> private-config478 -rw- 1947 <no date> underlying-config1 -rw- 0 <no date> ifIndex-table2 ---- 4 <no date> rf_cold_starts3 ---- 14 <no date> persistent-data491512 bytes total (486395 bytes free)Directory of usbflash0:/1 -rw- 30125020 Dec 22 2032 05:31:32 +00:00 c3825-entservicesk9-mz.123-14.T63158272 bytes total (33033216 bytes free)Directory of usbtoken1:/2 d--- 64 Dec 22 2032 05:23:40 +00:00 10005 d--- 4096 Dec 22 2032 05:23:40 +00:00 10018 d--- 0 Dec 22 2032 05:23:40 +00:00 100210 d--- 512 Dec 22 2032 05:23:42 +00:00 100312 d--- 0 Dec 22 2032 05:23:42 +00:00 500013 d--- 0 Dec 22 2032 05:23:42 +00:00 600014 d--- 0 Dec 22 2032 05:23:42 +00:00 700015 ---- 940 Jun 27 1992 12:50:42 +00:00 mystartup-config16 ---- 1423 Jun 27 1992 12:51:14 +00:00 myrunning-config32768 bytes total (858 bytes free)
Configuration Examples for PKI Storage
This section contains the following configuration examples:
•
•
Storing Certificates to a Specific Local Storage Location: Example
The following configuration example shows how to store certificates to the certs subdirectory. The certs subdirectory does not exist and is automatically created.
Router# dir nvram:114 -rw- 4687 <no date> startup-config115 ---- 5545 <no date> private-config116 -rw- 4687 <no date> underlying-config1 ---- 34 <no date> persistent-data3 -rw- 707 <no date> ioscaroot#7401CA.cer9 -rw- 863 <no date> msca-root#826E.cer10 -rw- 759 <no date> msca-root#1BA8CA.cer11 -rw- 863 <no date> msca-root#75B8.cer24 -rw- 1149 <no date> storagename#6500CA.cer26 -rw- 863 <no date> msca-root#83EE.cer129016 bytes total (92108 bytes free)Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto pki certificate storage disk0:/certsRequested directory does not exist -- createdCertificates will be stored in disk0:/certs/Router(config)# endRouter# write*May 27 02:09:00:%SYS-5-CONFIG_I:Configured from console by consolememBuilding configuration...[OK]Router# directory disk0:/certsDirectory of disk0:/certs/14 -rw- 707 May 27 2005 02:09:02 +00:00 ioscaroot#7401CA.cer15 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#826E.cer16 -rw- 759 May 27 2005 02:09:02 +00:00 msca-root#1BA8CA.cer17 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#75B8.cer18 -rw- 1149 May 27 2005 02:09:02 +00:00 storagename#6500CA.cer19 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#83EE.cer47894528 bytes total (20934656 bytes free)! The certificate files are now on disk0/certs:Logging Into a USB Token and Saving RSA Keys to the USB Token: Example
The following configuration example shows to how log into the USB token, generate RSA keys, and store the RSA keys onto the USB token:
! Configure the router to automatically log into the eTokenconfigure terminalcrypto pki token default user-pin 0 1234567890! Generate RSA keys and enroll certificates with the CA.crypto pki trustpoint IOSCAenrollment url http://10.23.2.2exitcrypto ca authenticate IOSCACertificate has the following attributes:Fingerprint MD5:23272BD4 37E3D9A4 236F7E1A F534444EFingerprint SHA1:D1B4D9F8 D603249A 793B3CAF 8342E1FE 3934EB7A% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.crypto pki enrollcrypto pki enroll IOSCA%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The subject name in the certificate will include:c2851-27.cisco.com% Include the router serial number in the subject name? [yes/no]:no% Include an IP address in the subject name? [no]:noRequest certificate from CA? [yes/no]:yes% Certificate request sent to Certificate Authority% The 'show crypto ca certificate IOSCA verbose' command will show the fingerprint.*Jan 13 06:47:19.413:CRYPTO_PKI: Certificate Request Fingerprint MD5:E6DDAB1B0E30EFE6 54529D8A DA787DBA*Jan 13 06:47:19.413:CRYPTO_PKI: Certificate Request Fingerprint SHA1:3B0F33B7 57C02A10 3935042B C4B6CD3D 61039251*Jan 13 06:47:21.021:%PKI-6-CERTRET:Certificate received from Certificate Authority! Issue the write memory command, which will automatically save the RSA keys to the eToken ! instead of private NVRAM.Router# write memoryBuilding configuration...[OK]*Jan 13 06:47:29.481:%CRYPTO-6-TOKENSTOREKEY:Key c2851-27.cisco.com stored onCryptographic Token eToken SuccessfullyThe following sample output from the show crypto key mypubkey rsa command displays stored credentials after they are successfully loaded from the USB token. Credentials that are stored on the USB token are in the protected area. When storing the credentials on the USB token, the files are stored in a directory called /keystore. However, the key files are hidden from the command-line interface (CLI).
Router# show crypto key mypubkey rsa% Key pair was generated at:06:37:26 UTC Jan 13 2005Key name:c2851-27.cisco.comUsage:General Purpose KeyKey is not exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E3C644 43AA7DDD732E0F4E 3CA0CDAB 387ABF05 EB8F22F2 2431F1AE 5D51FEE3 FCDEA934 7FBD36037C977854 B8E999BF 7FC93021 7F46ABF8 A4BA2ED6 172D3D09 B5020301 0001% Key pair was generated at:06:37:27 UTC Jan 13 2005Key name:c2851-27.cisco.com.serverUsage:Encryption KeyKey is not exportable.Key Data:307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DD96AE 4BF912EB2C261922 4784EF98 2E70E837 774B3778 7F7AEB2D 87F5669B BF5DDFBC F0D521A556AB8FDC 9911968E DE347FB0 A514A856 B30EAFF4 D1F453E1 003CFE65 0CCC6DC721FBE3AC 2F8DEA16 126754BC 1433DEF9 53266D33 E7338C95 BB020301 0001Additional References
Related Documents
Connecting the USB modules to the router
Cisco Access Router USB Flash Module and USB eToken Hardware Installation Guide
eToken and USB flash data sheet
RSA keys
File management (loading, copying, and rebooting files)
Cisco IOS Configuration Fundamentals Configuration Guide on Cisco.com
USB Token RSA Operations: Certificate server configuration
"Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity
See the "Generating a Certificate Server RSA Key Pair" section, the "Configuring a Certificate Server Trustpoint" section, and related examples.
USB Token RSA Operations: Using USB tokens for RSA operations upon initial autoenrollment
"Configuring Certificate Enrollment for a PKI" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity.
See the "Configuring Certificate Enrollment or Autoenrollment" section.
SDP setup, configuration and use with USB tokens
"Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI" chapter in the Cisco IOS Security Configuration Guide: Secure Connectivity.
See the feature information section for the feature names on using SDP and USB tokens to deploy PKI credentials.
Technical Assistance
Feature Information for Storing PKI Credentials
Table 2 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
.
Table 2 Feature Information for Storing PKI Credentials
USB Token and Secure Device Provisioning (SDP) Integration
12.4(15)T
This feature provides the ability to provision remote devices with USB tokens using SDP.
The following sections in this document provide information about this feature:
•
The following commands were introduced by this feature: binary file, crypto key move rsa, template file.
Note
Cisco IOS USB Token PKI Enhancements — Phase 2
12.4(11)T
This feature enhances USB token functionality by using the USB token as a cryptographic device. USB tokens may be used for RSA operations such as key generation, signing, and authentication.
The following sections in this document provide information about this feature:
•
•
Note
USB Storage PKI Enhancements
12.4(4)T
12.4(11)T
This feature enhances the USB token PIN security for automatic login and increases the flexibility of USB token configuration and the RSA key storage.
Cisco IOS Release 12.4(11)T introduced support for USB Storage on NPE-G2.
The following sections provide information about this feature:
•
The following commands were introduced or modified by this feature: crypto key storage, crypto pki generate rsa, crypto pki token encrypted-user-pin, crypto pki token label, crypto pki token lock, crypto pki token secondary unconfig, crypto pki token unlock
Certificate — Storage Location Specification
12.2(33)SXH
12.2(33)SRA
12.4(2)T
This feature allows you to specify the storage location of local certificates for platforms that support storing certificates as separate files. All Cisco platforms support NVRAM, which is the default location, and flash local storage. Depending on your platform, you may have other supported local storage options including bootflash, slot, disk, USB flash, or USB token.
The following sections provide information about this feature:
•
•
•
The following commands were introduced by this feature: crypto pki certificate storage, show crypto pki certificates storage
USB Storage
12.3(14)T
12.4(11)T
This feature enables certain models of Cisco routers to support USB tokens. USB tokens provide secure configuration distribution and allow users to VPN credentials for deployment.
Cisco IOS Release 12.4(11)T introduced support for USB Storage on NPE-G2.
The following sections provide information about this feature:
•
•
•
The following commands were introduced or modified by this feature: copy, crypto pki token change-pin, crypto pki token login, crypto pki token logout, crypto pki token max-retries, crypto pki token removal timeout, crypto pki token secondary config, crypto pki token user-pin, debug usb driver, dir, show usb controllers, show usb device, show usb driver, show usbtoken
RSA 4096-bit Key Generation in Software Crypto Engine Support
15.1(1)T
The range value for the modulus keyword value for the crypto key generate rsa command is extended from 360 to 2048 bits to 360 to 4096 bits.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007-2011 Cisco Systems, Inc. All rights reserved.
