{
	"id": "c0d6eb7b-2b53-4bf7-b75a-073d951df164",
	"created_at": "2026-04-06T00:18:39.258335Z",
	"updated_at": "2026-04-10T03:31:13.524614Z",
	"deleted_at": null,
	"sha1_hash": "dac79ebb959495639aae27f4af2245ee6f639e2a",
	"title": "Security and VPN Configuration Guide, Cisco IOS XE 17.x - Deploying RSA Keys Within a PKI [Cisco IOS XE 17]",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 232760,
	"plain_text": "Security and VPN Configuration Guide, Cisco IOS XE 17.x - Deploying\r\nRSA Keys Within a PKI [Cisco IOS XE 17]\r\nPublished: 2026-02-24 · Archived: 2026-04-05 15:56:01 UTC\r\nDeploying RSA Keys Within a PKI\r\nThis module explains how to set up and deploy Rivest, Shamir, and Adelman (RSA) keys within a public key infrastructure\r\n(PKI). An RSA key pair (a public and a private key) is required before you can obtain a certificate for your router; that is, the\r\nend host must generate a pair of RSA keys and exchange the public key with the certification authority (CA) to obtain a\r\ncertificate and enroll in a PKI.\r\nNote\r\nSecurity threats, as well as the cryptographic technologies to help protect against them, are constantly changing.\r\nFor more information about the latest Cisco cryptographic recommendations, see the Next Generation\r\nEncryption (NGE) white paper.\r\nPrerequisites for Configuring RSA Keys for a PKI\r\nBefore setting up and deploying RSA keys for a PKI, you should be familiar with the module Cisco IOS PKI\r\nOverview: Understanding and Planning a PKI .\r\nInformation About RSA Keys Configuration\r\nRSA Keys Overview\r\nAn RSA key pair consists of a public key and a private key. When setting up your PKI, you must include the public key in\r\nthe certificate enrollment request. After the certificate has been granted, the public key will be included in the certificate so\r\nthat peers can use it to encrypt data that is sent to the router. The private key is kept on the router and used both to decrypt\r\nthe data sent by peers and to digitally sign transactions when negotiating with peers.\r\nRSA key pairs contain a key modulus value. The modulus determines the size of the RSA key. The larger the modulus, the\r\nmore secure the RSA key. However, keys with large modulus values take longer to generate, and encryption and decryption\r\noperations take longer with larger keys.\r\nUsage RSA Keys Versus General-Purpose RSA Keys\r\nThere are two mutually exclusive types of RSA key pairs--usage keys and general-purpose keys. When you generate RSA\r\nkey pairs (via the crypto key generate rsa command), you will be prompted to select either usage keys or general-purpose\r\nkeys.\r\nUsage RSA Keys\r\nUsage keys consist of two RSA key pairs--one RSA key pair is generated and used for encryption and one RSA key pair is\r\ngenerated and used for signatures. With usage keys, each key is not unnecessarily exposed. (Without usage keys, one key is\r\nused for both authentication methods, increasing the exposure of that key.)\r\nGeneral-Purpose RSA Keys\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 1 of 31\n\nGeneral-purpose keys consist of only one RSA key pair that used for both encryption and signatures. General-purpose key\r\npairs are used more frequently than usage key pairs.\r\nHow RSA Key Pairs are Associated with a Trustpoint\r\nA trustpoint, also known as the certificate authority (CA), manages certificate requests and issues certificates to participating\r\nnetwork devices. These services provide centralized key management for the participating devices and are explicitly trusted\r\nby the receiver to validate identities and to create digital certificates. Before any PKI operations can begin, the CA generates\r\nits own public key pair and creates a self-signed CA certificate; thereafter, the CA can sign certificate requests and begin\r\npeer enrollment for the PKI.\r\nCaution\r\nDo not manually generate an rsa keypair under trustpoint. If we want to manually generate the keys,\r\ngenerate the key pairs as usage-keys and not as general-purpose keys.\r\nCaution\r\nCertificate renewal with regenerate option does not work with key label starting from zero ('0'), (for\r\nexample, '0test'). CLI allows configuring such name under trustpoint, and allows hostname starting from\r\nzero. When configuring rsakeypair name under a trustpoint, do not configure the name starting from zero.\r\nWhen keypair name is not configured and the default keypair is used, make sure the router hostname does\r\nnot start from zero. If it does so, configure \"rsakeypair name explicitly under the trustpoint with a different\r\nname.\r\nReasons to Store Multiple RSA Keys on a Router\r\nConfiguring multiple RSA key pairs allows the Cisco IOS software to maintain a different key pair for each CA with which\r\nit is dealing or the software can maintain multiple key pairs and certificates with the same CA. As a result, the Cisco IOS\r\nsoftware can match policy requirements for each CA without compromising the requirements specified by the other CAs,\r\nsuch as key length, key lifetime, and general-purpose versus usage keys.\r\nNamed key pairs (which are specified via the label key-label option) allow you to have multiple RSA key pairs, enabling the\r\nCisco IOS software to maintain a different key pair for each identity certificate.\r\nBenefits of Exportable RSA Keys\r\nCaution\r\nExportable RSA keys should be carefully evaluated before use because using exportable RSA keys\r\nintroduces the risk that these keys might be exposed. Any existing RSA keys are not exportable. New keys\r\nare generated as nonexportable by default. It is not possible to convert an existing nonexportable key to an\r\nexportable key.\r\nAs of Cisco IOS Release 12.2(15)T, users can share the private RSA key pair of a router with standby routers, therefore\r\ntransferring the security credentials between networking devices. The key pair that is shared between two routers will allow\r\none router to immediately and transparently take over the functionality of the other router. If the main router were to fail, the\r\nstandby router could be dropped into the network to replace the failed router without the need to regenerate keys, reenroll\r\nwith the CA, or manually redistribute keys.\r\nExporting and importing an RSA key pair also enables users to place the same RSA key pair on multiple routers so that all\r\nmanagement stations using Secure Shell (SSH) can be configured with a single public RSA key.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 2 of 31\n\nExportable RSA Keys in PEM-Formatted Files\r\nUsing privacy-enhanced mail (PEM)-formatted files to import or export RSA keys can be helpful for customers who are\r\nrunning Cisco IOS software Release 12.3(4)T or later and who are using secure socket layer (SSL) or secure shell (SSH)\r\napplications to manually generate RSA key pairs and import the keys back into their PKI applications. PEM-formatted files\r\nallow customers to directly use existing RSA key pairs on their Cisco IOS routers instead of generating new keys.\r\nPassphrase Protection While Importing and Exporting RSA Keys\r\nYou have to include a passphrase to encrypt the PKCS12 file or the PEM file that will be exported, and when the PKCS12 or\r\nPEM file is imported, the same passphrase has to be entered to decrypt it. Encrypting the PKCS12 or PEM file when it is\r\nbeing exported, deleted, or imported protects the file from unauthorized access and use while it is being transported or stored\r\non an external device.\r\nThe passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding\r\nthe question mark (?), which has special meaning to the Cisco IOS parser.\r\nHow to Convert an Exportable RSA Key Pair to a Nonexportable RSA Key Pair\r\nPassphrase protection protects the external PKCS12 or PEM file from unauthorized access and use. To prevent an RSA key\r\npair from being exported, it must be labeled “nonexportable.” To convert an exportable RSA key pair into a nonexportable\r\nkey pair, the key pair must be exported and then reimported without specifying the “exportable” keyword.\r\nHow to Set Up and Deploy RSA Keys Within a PKI\r\nGenerating an RSA Key Pair\r\nNote\r\nWe recommend that you use a new RSA keypair name for the newly configured PKI certificate. If you want to\r\nreuse an existing RSA keypair name (that is associated with an old certificate) for a new PKI certificate, do\r\neither of the following:\r\nDo not regenerate a new RSA keypair with an existing RSA keypair name, reuse the existing RSA\r\nkeypair name. Regenerating a new RSA keypair with an existing RSA keypair name will make all the\r\ncertificates associated with the existing RSA keypair invalid.\r\nManually remove the old PKI certificate configurations first, before reusing the existing RSA keypair\r\nname for the new PKI certificate.\r\n.\r\nPerform this task to manually generate an RSA key pair.\r\nSUMMARY STEPS\r\n1. enable\r\n2. configure terminal\r\n3. crypto key generate rsa [general-keys | usage-keys | signature | encryption ] [label key-label ] [exportable ] [modulus\r\nmodulus-size ] [storage devicename: ] [on devicename: ]\r\n4. exit\r\n5. show crypto key mypubkey rsa\r\nDETAILED STEPS\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 3 of 31\n\nCommand or Action Purpose\r\nStep 1\r\nenable\r\nExample:\r\nRouter\u003e enable\r\nEnables privileged EXEC mode.\r\nEnter your password if\r\nprompted.\r\nStep 2\r\nconfigure terminal\r\nExample:\r\nRouter# configure terminal\r\nEnters global configuration mode.\r\nStep 3 crypto key generate rsa [general-keys | usage-keys | signature |\r\nencryption ] [label key-label ] [exportable ] [modulus modulus-size ]\r\n[storage devicename: ] [on devicename: ]\r\nExample:\r\nRouter(config)# crypto key generate rsa usage-keys modulus 2048\r\n(Optional) Generates the RSA key\r\npair for the certificate server.\r\nThe storage keyword\r\nspecifies the key storage\r\nlocation.\r\nWhen specifying a label\r\nname by specifying the\r\nkey-label argument, you\r\nmust use the same name\r\nfor the label that you plan\r\nto use for the certificate\r\nserver (through the crypto\r\npki server cs-label\r\ncommand). If a key-label\r\nargument is not specified,\r\nthe default value, which is\r\nthe fully qualified domain\r\nname (FQDN) of the\r\nrouter, is used.\r\nIf the exportable RSA key pair is\r\nmanually generated after the CA\r\ncertificate has been generated,\r\nand before issuing the no\r\nshutdown command, then use the\r\ncrypto ca export pkcs12\r\ncommand to export a PKCS12\r\nfile that contains the certificate\r\nserver certificate and the private\r\nkey.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 4 of 31\n\nCommand or Action Purpose\r\nBy default, the modulus\r\nsize of a CA key is 1024\r\nbits. The recommended\r\nmodulus for a CA key is\r\n2048 bits. The range for a\r\nmodulus size of a CA key\r\nis from 360 to 4096 bits.\r\nThe on keyword specifies\r\nthat the RSA key pair is\r\ncreated on the specified\r\ndevice, including a\r\nUniversal Serial Bus\r\n(USB) token, local disk, or\r\nNVRAM. The name of the\r\ndevice is followed by a\r\ncolon (:).\r\nNote\r\n \r\nKeys created on a\r\nUSB token must be\r\n2048 bits or less.\r\nCaution\r\n \r\nDo not manually\r\ngenerate an rsa\r\nkeypair under\r\ntrustpoint. If we\r\nwant to manually\r\ngenerate the keys,\r\ngenerate the key\r\npairs as usage-keys and not as\r\ngeneral-purpose\r\nkeys.\r\nStep 4\r\nexit\r\nExample:\r\nRouter(config)# exit\r\nExits global configuration mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 5 of 31\n\nCommand or Action Purpose\r\nStep 5\r\nshow crypto key mypubkey rsa\r\nExample:\r\nRouter# show crypto key mypubkey rsa\r\n(Optional) Displays the RSA\r\npublic keys of your router.\r\nThis step allows you to verify that\r\nthe RSA key pair has been\r\nsuccessfully generated.\r\nWhat to Do Next\r\nAfter you have successfully generated an RSA key pair, you can proceed to any of the additional tasks in this module to\r\ngenerate additional RSA key pairs, perform export and import of RSA key pairs, or configure additional security parameters\r\nfor the RSA key pair (such as encrypting or locking the private key).\r\nManaging RSA Key Pairs and Trustpoint Certificates\r\nPerform this task to configure the router to generate and store multiple RSA key pairs, associate the key pairs with a\r\ntrustpoint, and get the certificates for the router from the trustpoint.\r\nBefore you begin\r\nYou must have already generated an RSA key pair as shown in the task “Generating an RSA Key Pair task.”\r\nSUMMARY STEPS\r\n1. enable\r\n2. configure terminal\r\n3. crypto pki trustpoint name\r\n4. rsakeypair key-label [key-size [encryption-key-size ]]\r\n5. enrollment selfsigned\r\n6. subject-alt-name name\r\n7. exit\r\n8. cypto pki enroll name\r\n9. exit\r\n10. show crypto key mypubkey rsa\r\nDETAILED STEPS\r\n  Command or Action Purpose\r\nStep 1\r\nenable\r\nExample:\r\nRouter\u003e enable\r\nEnables privileged EXEC\r\nmode.\r\nEnter your password if\r\nprompted.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 6 of 31\n\nCommand or Action Purpose\r\nStep 2\r\nconfigure terminal\r\nExample:\r\nRouter# configure terminal\r\nEnters global configuration\r\nmode.\r\nStep 3\r\ncrypto pki trustpoint name\r\nExample:\r\nRouter(config)# crypto pki trustpoint TESTCA\r\nCreates a trustpoint and enters\r\nca-trustpoint configuration\r\nmode.\r\nStep 4 rsakeypair key-label [key-size [encryption-key-size ]]\r\nExample:\r\nRouter(ca-trustpoint)# rsakeypair fancy-keys\r\n(Optional) The key-label\r\nargument specifies the name of\r\nthe RSA key pair generated\r\nduring enrollment (if it does\r\nnot already exist or if the auto-enroll regenerate command is\r\nconfigured) to be used with the\r\ntrustpoint certificate. By\r\ndefault, the fully qualified\r\ndomain name (FQDN) key is\r\nused.\r\nThe keypair name\r\ncannot start from zero\r\n(‘0’). For more details,\r\nsee “How RSA Key\r\nPairs are Associated\r\nwith a Trustpoint”\r\nsection.\r\n(Optional) The key-size\r\nargument specifies the\r\nsize of the RSA key\r\npair. The recommended\r\nkey size is 2048 bits.\r\n(Optional) The\r\nencryption-key-size\r\nargument specifies the\r\nsize of the second key,\r\nwhich is used to request\r\nseparate encryption,\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 7 of 31\n\nCommand or Action Purpose\r\nsignature keys, and\r\ncertificates.\r\nStep 5\r\nenrollment selfsigned\r\nExample:\r\nRouter(ca-trustpoint)# enrollment selfsigned\r\n(Optional) Specifies self-signed enrollment for a\r\ntrustpoint.\r\nStep 6\r\nsubject-alt-name name\r\nExample:\r\nRouter(ca-trustpoint)# subject-alt-name TESTCA\r\n(Optional) The name argument\r\nspecifies the trustpoint’s name\r\nin the Subject Alternative\r\nName (subjectAltName) field\r\nin the X.509 certificate, which\r\nis contained in the trustpoint\r\ncertificate. By default, the\r\nSubject Alternative Name field\r\nis not included in the\r\ncertificate.\r\nNote\r\n \r\nThis X.509\r\ncertificate field is\r\ndefined in RFC\r\n2511.\r\nThis option is used to create a\r\nself-signed trustpoint\r\ncertificate for the router that\r\ncontains the trustpoint name in\r\nthe Subject Alternative Name\r\n(subjectAltName) field. This\r\nSubject Alternative Name can\r\nbe used only when the\r\nenrollment selfsigned\r\ncommand is specified for self-signed enrollment in the\r\ntrustpoint policy.\r\nStep 7 exit\r\nExample:\r\nRouter\r\nExits ca-trustpoint\r\nconfiguration mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 8 of 31\n\nCommand or Action Purpose\r\n(ca-trustpoint)#\r\nexit\r\nStep 8\r\ncypto pki enroll name\r\nExample:\r\nRouter(config)# cypto pki enroll\r\nTESTCA\r\nExample:\r\n% Include the router serial number in the subject name? [yes/no]: no\r\nExample:\r\n% Include an IP address in the subject name? [no]:\r\nExample:\r\nGenerate Self Signed Router Certificate? [yes/no]: yes\r\nExample:\r\nRouter Self Signed Certificate successfully created\r\nRequests the certificates for the\r\nrouter from the trustpoint.\r\nThe name argument specifies\r\nthe trustpoint name. Once this\r\ncommand is entered, answer\r\nthe prompts.\r\nNote\r\n \r\nUse the same\r\ntrustpoint name\r\nentered with the\r\ncrypto pki\r\ntrustpoint\r\ncommand.\r\nStep 9\r\nexit\r\nExample:\r\nRouter(config)# exit\r\nExits global configuration\r\nmode.\r\nStep 10 show crypto key mypubkey rsa\r\nExample:\r\n(Optional) Displays the RSA\r\npublic keys of your router.\r\nThis step allows you to verify\r\nthat the RSA key pair has been\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 9 of 31\n\nCommand or Action Purpose\r\nRouter# show crypto key mypubkey rsa\r\nsuccessfully generated.\r\nExample\r\nThe following example shows how to create a self-signed trustpoint certificate for the router that contains the trustpoint\r\nname in the Subject Alternative Name (subjectAltName) field:\r\nRouter\u003e enable\r\nRouter# configure terminal\r\nRouter(config)#crypto pki trustpoint TESTCA\r\nRouter(ca-trustpoint)#hash sha256\r\nRouter(ca-trustpoint)#rsakeypair testca-rsa-key 2048\r\nRouter(ca-trustpoint)#exit\r\nRouter(config)#crypto pki enroll TESTCA\r\n% Include the router serial number in the subject name? [yes/no]:no\r\n% Include an IP address in the subject name? [no]: no\r\nGenerate Self Signed Router Certificate? [yes/no]: yes\r\nRouter Self Signed Certificate successfully created\r\nRouter(config)#\r\nRouter(config)#exit\r\nRouter#\r\nThe following certificate is created:\r\nRouter#show crypto pki certificate verbose Router Self-Signed Certificate\r\n Status: Available\r\n Version: 3\r\n Certificate Serial Number (hex): 01\r\n Certificate Usage: General Purpose\r\n Issuer:\r\n hostname=Router.cisco.com\r\n Subject:\r\n Name: Router.cisco.com\r\n hostname=Router.cisco.com\r\n Validity Date:\r\n start date: 11:41:50 EST Aug 13 2012\r\n end date: 19:00:00 EST Dec 31 2019\r\n Subject Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n RSA Public Key: (2048 bit)\r\n Signature Algorithm: SHA256 with RSA Encryption\r\n Fingerprint MD5: CA92D937 593BF19A 5B7F8466 F554D631\r\n Fingerprint SHA1: 57A9D411 2DDFAC81 68260F2F C6C8D7CF 4833F3E9\r\n X509v3 extensions:\r\n X509v3 Subject Key ID: 44340F76 A6B8DC37 80724650 0672875F 741D518C\r\n X509v3 Basic Constraints:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 10 of 31\n\nCA: TRUE\r\n X509v3 Authority Key ID: 44340F76 A6B8DC37 80724650 0672875F 741D518C\r\n Authority Info Access:\r\n Associated Trustpoints: TESTCA\r\n-----BEGIN CERTIFICATE-----\r\nMIIBszCCAV2gAwIBAgIBAjANBgkqhkiG9w0BAQQFADAuMQ8wDQYDVQQDEwZURVNU\r\nQ0ExGzAZBgkqhkiG9w0BCQIWDHIxLmNpc2NvLmNvbTAeFw0xMDAzMjIyMDI2MjBa\r\nFw0yMDAxMDEwMDAwMDBaMC4xDzANBgNVBAMTBlRFU1RDQTEbMBkGCSqGSIb3DQEJ\r\nAhYMcjEuY2lzY28uY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAI1xLjvrouLz\r\nRNm8qYWI9Km9yX/wafXndY8A8o4+L8pexQhDlYyiaq7OoK6CYWH/ToyPidFW2DU0\r\nt5WTGnIDcfsCAwEAAaNmMGQwDwYDVR0TAQH/BAUwAwEB/zARBgNVHREECjAIggZU\r\nRVNUQ0EwHwYDVR0jBBgwFoAU+aSVh1+kyn1l+r44IFUY+Uxs1fMwHQYDVR0OBBYE\r\nFPmklYdfpMp9Zfq+OCBVGPlMbNXzMA0GCSqGSIb3DQEBBAUAA0EAbZLnqKUaWu8T\r\nWAIbeReTQTfJLZ8ao/U6cwXN0QKEQ37ghAdGVflFWVG6JUhv2OENNUQHXBYXNUWZ\r\n4oBuU+U1dg==\r\n-----END CERTIFICATE-----\r\nExporting and Importing RSA Keys\r\nThis section contains the following tasks that can be used for exporting and importing RSA keys. Whether you are using\r\nPKCS12 files or PEM files, exportable RSA keys allow you to use existing RSA keys on Cisco IOS routers instead of\r\nhaving to generate new RSA keys if the main router were to fail.\r\nExporting and Importing RSA Keys in PKCS12 Files\r\nExporting and importing RSA key pairs enables users to transfer security credentials between devices. The key pair that is\r\nshared between two devices allows one device to immediately and transparently take over the functionality of the other\r\nrouter.\r\nBefore you begin\r\nYou must generate an RSA key pair and mark it “exportable” as specified in the “Generating an RSA Key Pair” task.\r\nNote\r\nYou cannot export RSA keys that existed on the router before your system was upgraded to Cisco IOS\r\nRelease 12.2(15)T or later. You have to generate new RSA keys and label them as “exportable” after you\r\nupgrade the Cisco IOS software.\r\nWhen you import a PKCS12 file that was generated by a third-party application, the PKCS12 file must\r\ninclude a CA certificate.\r\nIf you want reexport an RSA key pair after you have already exported the key pair and imported them to\r\na target router, you must specify the exportable keyword when you are importing the RSA key pair.\r\nThe largest RSA key a router may import is 2048-bits.\r\nSUMMARY STEPS\r\n1. crypto pki trustpoint name\r\n2. rsakeypair key-label [key-size [encryption-key-size ]]\r\n3. exit\r\n4. crypto pki export trustpointname pkcs12 destination-url password password-phrase\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 11 of 31\n\n5. crypto pki import trustpointname pkcs12 source-url password password-phrase\r\n6. exit\r\n7. show crypto key mypubkey rsa\r\nDETAILED STEPS\r\n  Command or Action Purpose\r\nStep 1\r\ncrypto pki trustpoint name\r\nExample:\r\nRouter(config)# crypto pki trustpoint my-ca\r\nCreates the trustp\r\nname that is to be\r\nassociated with th\r\nRSA key pair and\r\nenters ca-trustpoin\r\nconfiguration mod\r\nStep 2\r\nrsakeypair key-label [key-size [encryption-key-size ]]\r\nExample:\r\nRouter(ca-trustpoint)# rsakeypair my-keys\r\nSpecifies the key\r\nthat is to be used w\r\nthe trustpoint.\r\nStep 3\r\nexit\r\nExample:\r\nRouter(ca-trustpoint)# exit\r\nExits ca-trustpoin\r\nconfiguration mod\r\nStep 4 crypto pki export trustpointname pkcs12 destination-url password password-phrase\r\nExample:\r\nRouter(config)# crypto pki export my-ca pkcs12 tftp://tftpserver/my-keys password mypassword123\r\nExports the RSA k\r\nthrough the trustp\r\nname.\r\nThe\r\ntrustpointn\r\nargument\r\nenters the\r\nname of th\r\ntrustpoint t\r\nissues the\r\ncertificate\r\na user is go\r\nto export.\r\nWhen\r\nexporting t\r\nPKCS12 fi\r\nthe trustpo\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 12 of 31\n\nCommand or Action Purpose\r\nname is the\r\nRSA key\r\nname.\r\nThe\r\ndestination\r\nargument\r\nenters the f\r\nsystem\r\nlocation of\r\nPKCS12 fi\r\nto which a\r\nuser wants\r\nimport the\r\nRSA key p\r\nThe passw\r\n-phrase\r\nargument m\r\nbe entered\r\nencrypt the\r\nPKCS12 fi\r\nfor export.\r\nStep 5 crypto pki import trustpointname pkcs12 source-url password password-phrase\r\nExample:\r\nRouter(config)# crypto pki import my-ca pkcs12 tftp://tftpserver/my-keys password mypassword123\r\nImports the RSA k\r\nto the target route\r\nThe\r\ntrustpointn\r\nargument\r\nenters the\r\nname of th\r\ntrustpoint t\r\nissues the\r\ncertificate\r\na user is go\r\nto export o\r\nimport. Wh\r\nimporting,\r\ntrustpoint\r\nbecomes th\r\nRSA key\r\nname.\r\nThe source\r\nargument\r\nspecifies th\r\nfile system\r\nlocation of\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 13 of 31\n\nCommand or Action Purpose\r\nPKCS12 fi\r\nto which a\r\nuser wants\r\nexport the\r\nRSA key p\r\nThe passw\r\n-phrase mu\r\nbe entered\r\nundo\r\nencryption\r\nwhen the R\r\nkeys are\r\nimported.\r\nStep 6\r\nexit\r\nExample:\r\nRouter(config)# exit\r\nExits global\r\nconfiguration mod\r\nStep 7\r\nshow crypto key mypubkey rsa\r\nExample:\r\nRouter# show crypto key mypubkey rsa\r\n(Optional) Displa\r\nthe RSA public ke\r\nof your router.\r\nExporting and Importing RSA Keys in PEM-Formatted Files\r\nPerform this task to export or import RSA key pairs in PEM files.\r\nBefore you begin\r\nYou must generate an RSA key pair and mark it “exportable” as specified the “Generating an RSA Key Pair” task.\r\nNote\r\nYou cannot export and import RSA keys that were generated without an exportable flag before your\r\nsystem was upgraded to Cisco IOS Release 12.3(4)T or a later release. You have to generate new RSA\r\nkeys after you upgrade the Cisco IOS software.\r\nThe largest RSA key a router may import is 2048 bits.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 14 of 31\n\nNote Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing.\r\nFor more information about the latest Cisco cryptographic recommendations, see the Next Generation\r\nEncryption (NGE) white paper.\r\nSUMMARY STEPS\r\n1. crypto key generate rsa {usage-keys | general-keys} label key-label [exportable]\r\n2. crypto pki export trustpoint pem {terminal | url destination-url } {3des | des } password password-phrase\r\n3. crypto pki import trustpoint pem [check | exportable | usage-keys] {terminal | url source-url} passwordpassword-phrase\r\n4. exit\r\n5. show crypto key mypubkey rsa\r\nDETAILED STEPS\r\n  Command or Action Purpose\r\nStep 1\r\ncrypto key generate rsa {usage-keys | general-keys} label key-label [exportable]\r\nExample:\r\nRouter(config)# crypto key generate rsa general-keys label mykey exportable\r\nGenerates the RSA key pair.\r\nTo use PEM files, the RSA key\r\npair must be labeled exportable.\r\nStep 2 crypto pki export trustpoint pem {terminal | url destination-url } {3des | des }\r\npassword password-phrase\r\nExample:\r\nRouter(config)# crypto pki export mycs pem url nvram: 3des password mypassword123\r\nExports the certificates and\r\nRSA keys that are associated\r\nwith a trustpoint in a PEM-formatted file.\r\nEnter the trustpoint\r\nname that is associated\r\nwith the exported\r\ncertificate and RSA key\r\npair. The trustpoint name\r\nmust match the name\r\nthat was specified\r\nthrough the crypto pki\r\ntrustpoint command\r\nUse the terminal\r\nkeyword to specify the\r\ncertificate and RSA key\r\npair that is displayed in\r\nPEM format on the\r\nconsole terminal.\r\nUse the url keyword and\r\ndestination -url\r\nargument to specify the\r\nURL of the file system\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 15 of 31\n\nCommand or Action Purpose\r\nwhere your router\r\nshould export the\r\ncertificates and RSA key\r\npair.\r\n(Optional) the 3des\r\nkeyword exports the\r\ntrustpoint using the\r\nTriple Data Encryption\r\nStandard (3DES)\r\nencryption algorithm.\r\n(Optional) the des\r\nkeyword exports the\r\ntrustpoint using the DES\r\nencryption algorithm.\r\nUse the password-phrase argument to\r\nspecify the encrypted\r\npassword phrase that is\r\nused to encrypt the PEM\r\nfile for import.\r\nTip\r\n \r\nBe sure to keep the\r\nPEM file safe. For\r\nexample, you may\r\nwant to store it on\r\nanother backup\r\nrouter.\r\nStep 3 crypto pki import trustpoint pem [check | exportable | usage-keys] {terminal | url\r\nsource-url} passwordpassword-phrase\r\nExample:\r\nRouter(config)# crypto pki import mycs2 pem url nvram: password mypassword123\r\nImports certificates and RSA\r\nkeys to a trustpoint from PEM-formatted files.\r\nEnter the trustpoint\r\nname that is associated\r\nwith the imported\r\ncertificate and RSA key\r\npair. The trustpoint name\r\nmust match the name\r\nthat was specified\r\nthrough the crypto pki\r\ntrustpoint command\r\n(Optional) Use the check\r\nkeyword to specify that\r\nan outdated certificate is\r\nnot allowed.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 16 of 31\n\nCommand or Action Purpose\r\n(Optional) Use the\r\nexportable keyword to\r\nspecify that the imported\r\nRSA key pair can be\r\nexported again to\r\nanother Cisco device\r\nsuch as a router.\r\n(Optional) Use the\r\nusage-keys argument to\r\nspecify that two RSA\r\nspecial usage key pairs\r\nwill be imported (that is,\r\none encryption pair and\r\none signature pair),\r\ninstead of one general-purpose key pair.\r\nUse the source-url\r\nargument to specify the\r\nURL of the file system\r\nwhere your router\r\nshould import the\r\ncertificates and RSA key\r\npairs.\r\nUse the password-phrase argument to\r\nspecify the encrypted\r\npassword phrase that is\r\nused to encrypt the PEM\r\nfile for import.\r\nNote\r\n \r\nThe\r\npassword\r\nphrase can\r\nbe any\r\nphrase that\r\nis at least\r\neight\r\ncharacters\r\nin length; it\r\ncan include\r\nspaces and\r\npunctuation,\r\nexcluding\r\nthe question\r\nmark (?),\r\nwhich has\r\nspecial\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 17 of 31\n\nCommand or Action Purpose\r\nmeaning to\r\nthe Cisco\r\nIOS parser.\r\nNote\r\n \r\nIf you do not want\r\nthe key to be\r\nexportable from\r\nyour CA, import it\r\nback to the CA\r\nafter it has been\r\nexported as a\r\nnonexportable key\r\npair. Thus, the key\r\ncannot be taken off\r\nagain.\r\nStep 4\r\nexit\r\nExample:\r\nRouter(config)# exit\r\nExits global configuration\r\nmode.\r\nStep 5\r\nshow crypto key mypubkey rsa\r\nExample:\r\nRouter# show crypto key mypubkey rsa\r\n(Optional) Displays the RSA\r\npublic keys of your router.\r\nEncrypting and Locking Private Keys on a Router\r\nDigital signatures are used to authenticate one device to another device. To use digital signatures, private information (the\r\nprivate key) must be stored on the device that is providing the signature. The stored private information may aid an attacker\r\nwho steals the hardware device that contains the private key; for example, a thief might be able to use the stolen router to\r\ninitiate a secure connection to another site by using the RSA private keys stored in the router.\r\nNote\r\nRSA keys are lost during password recovery operations. If you lose your password, the RSA keys will be\r\ndeleted when you perform the password recovery operation. (This function prevents an attacker from\r\nperforming password recovery and then using the keys.)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 18 of 31\n\nTo protect the private RSA key from an attacker, a user can encrypt the private key that is stored in NVRAM via a\r\npassphrase. Users can also “lock” the private key, which blocks new connection attempts from a running router and protects\r\nthe key in the router if the router is stolen by an attempted attacker.\r\nPerform this task to encrypt and lock the private key that is saved to NVRAM.\r\nNote\r\nThe RSA keys must be unlocked while enrolling the CA. The keys can be locked while authenticating the router\r\nwith the CA because the private key of the router is not used during authentication.\r\nBefore you begin\r\nBefore encrypting or locking a private key, you should perform the following tasks:\r\nGenerate an RSA key pair as shown in Generating an RSA Key Pair section.\r\nOptionally, you can authenticate and enroll each router with the CA server.\r\nNote\r\nBackward Compatibility Restriction\r\nAny image prior to Cisco IOS Release 12.3(7)T does not support encrypted keys. To prevent your router from\r\nlosing all encrypted keys, ensure that only unencrypted keys are written to NVRAM before booting an image\r\nprior to Cisco IOS Release 12.3(7)T.\r\nIf you must download an image prior to Cisco IOS Release 12.3(7)T, decrypt the key and immediately save the\r\nconfiguration so the downloaded image does not overwrite the configuration.\r\nInteraction with Applications\r\nAn encrypted key is not effective after the router boots up until you manually unlock the key (via the crypto key\r\nunlock rsa command). Depending on which key pairs are encrypted, this functionality may adversely affect\r\napplications such as IP security (IPsec), SSH, and SSL; that is, management of the router over a secure channel\r\nmay not be possible until the necessary key pair is unlocked.\r\n\u003e\r\nSUMMARY STEPS\r\n1. crypto key encrypt [write] rsa [name key-name] passphrase passphrase\r\n2. exit\r\n3. show crypto key mypubkey rsa\r\n4. crypto key lock rsa name key-name ] passphrase passphrase\r\n5. show crypto key mypubkey rsa\r\n6. crypto key unlock rsa [name key-name ] passphrase passphrase\r\n7. configure terminal\r\n8. crypto key decrypt [write ] rsa [name key-name ] passphrase passphrase\r\nDETAILED STEPS\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 19 of 31\n\nCommand or Action Purpose\r\nStep 1\r\ncrypto key encrypt [write] rsa [name key-name] passphrase passphrase\r\nExample:\r\nRouter(config)# crypto key encrypt write rsa name pki.example.com passphrase password\r\nEncrypts the RSA keys.\r\nAfter this command is\r\nissued, the router can\r\ncontinue to use the key;\r\nthe key remains unlocked.\r\nNote\r\n \r\nIf the write\r\nkeyword is\r\nnot issued,\r\nthe\r\nconfiguration\r\nmust be\r\nmanually\r\nwritten to\r\nNVRAM;\r\notherwise,\r\nthe encrypted\r\nkey will be\r\nlost next\r\ntime the\r\nrouter is\r\nreloaded.\r\nStep 2\r\nexit\r\nExample:\r\nRouter(config)# exit\r\nExits global configuration\r\nmode.\r\nStep 3 show crypto key mypubkey rsa\r\nExample:\r\nRouter# show crypto key mypubkey rsa\r\n(Optional) Shows that the\r\nprivate key is encrypted\r\n(protected) and unlocked.\r\nNote\r\n \r\nYou can also\r\nuse this\r\ncommand to\r\nverify that\r\napplications\r\nsuch as\r\nInternet Key\r\nExchange\r\n(IKE) and\r\nSSH are\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 20 of 31\n\nCommand or Action Purpose\r\nproperly\r\nworking after\r\nthe key has\r\nbeen\r\nencrypted.\r\nStep 4\r\ncrypto key lock rsa name key-name ] passphrase passphrase\r\nExample:\r\nRouter# crypto key lock rsa name pki.example.com passphrase password\r\n(Optional) Locks the\r\nencrypted private key on\r\na running router.\r\nNote\r\n \r\nAfter the key\r\nis locked, it\r\ncannot be\r\nused to\r\nauthenticate\r\nthe router to\r\na peer\r\ndevice. This\r\nbehavior\r\ndisables any\r\nIPSec or SSL\r\nconnections\r\nthat use the\r\nlocked key.\r\nAny existing\r\nIPSec\r\ntunnels\r\ncreated on\r\nthe basis of\r\nthe locked\r\nkey will be\r\nclosed. If all\r\nRSA keys\r\nare locked,\r\nSSH will\r\nautomatically\r\nbe disabled.\r\nStep 5 show crypto key mypubkey rsa\r\nExample:\r\nRouter# show crypto key mypubkey rsa\r\n(Optional) Shows that the\r\nprivate key is protected\r\nand locked.\r\nThe output will also show\r\nfailed connection\r\nattempts via applications\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 21 of 31\n\nCommand or Action Purpose\r\nsuch as IKE, SSH, and\r\nSSL.\r\nStep 6\r\ncrypto key unlock rsa [name key-name ] passphrase passphrase\r\nExample:\r\nRouter# crypto key unlock rsa name pki.example.com passphrase password\r\n(Optional) Unlocks the\r\nprivate key.\r\nNote\r\n \r\nAfter this\r\ncommand is\r\nissued, you\r\ncan continue\r\nto establish\r\nIKE tunnels.\r\nStep 7\r\nconfigure terminal\r\nExample:\r\nRouter# configure terminal\r\nEnters global\r\nconfiguration mode.\r\nStep 8 crypto key decrypt [write ] rsa [name key-name ] passphrase passphrase\r\nExample:\r\nRouter(config)# crypto key decrypt write rsa name pki.example.com passphrase password\r\n(Optional) Deletes the\r\nencrypted key and leaves\r\nonly the unencrypted key.\r\nNote\r\n \r\nThe write\r\nkeyword\r\nimmediately\r\nsaves the\r\nunencrypted\r\nkey to\r\nNVRAM. If\r\nthe write\r\nkeyword is\r\nnot issued,\r\nthe\r\nconfiguration\r\nmust be\r\nmanually\r\nwritten to\r\nNVRAM;\r\notherwise,\r\nthe key will\r\nremain\r\nencrypted the\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 22 of 31\n\nCommand or Action Purpose\r\nnext time the\r\nrouter is\r\nreloaded.\r\nRemoving RSA Key Pair Settings\r\nAn RSA key pair may need to be removed for one of the following reasons:\r\nDuring manual PKI operations and maintenance, old RSA keys can be removed and replaced with new keys.\r\nAn existing CA is replaced and the new CA requires newly generated keys; for example, the required key size might\r\nhave changed in an organization so you would have to delete the old 1024-bit keys and generate new 2048-bit keys.\r\nT he peer router's public keys can be deleted in order to help debug signature verification problems in IKEv1 and\r\nIKEv2. Keys are cached by default with the lifetime of the certificate revocation list (CRL) associated with the\r\ntrustpoint.\r\nPerform this task to remove all RSA keys or the specified RSA key pair that has been generated by your router.\r\nSUMMARY STEPS\r\n1. enable\r\n2. configure terminal\r\n3. crypto key zeroize rsa [key-pair-label]\r\n4. crypto key zeroize pubkey-chain [index ]\r\n5. exit\r\n6. show crypto key mypubkey rsa\r\nDETAILED STEPS\r\n  Command or Action Purpose\r\nStep 1\r\nenable\r\nExample:\r\nRouter\u003e enable\r\nEnables privileged EXEC mode.\r\nEnter your password if prompted.\r\nStep 2\r\nconfigure terminal\r\nExample:\r\nRouter# configure terminal\r\nEnters global configuration mode.\r\nStep 3 crypto key zeroize rsa [key-pair-label] Deletes RSA key pairs from your router.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 23 of 31\n\nCommand or Action Purpose\r\nExample:\r\nRouter(config)# crypto key zeroize rsa fancy-keys\r\nIf the key-pair-label argument is not\r\nspecified, all RSA keys that have been\r\ngenerated by your router will be deleted.\r\nStep 4\r\ncrypto key zeroize pubkey-chain [index ]\r\nExample:\r\nRouter(config)# crypto key zeroize pubkey-chain\r\nDeletes the remote peer’s public key from the\r\ncache.\r\n(Optional) Use the index argument to delete a\r\nparticular public key index entry. If no index entry\r\nis specified, then all the entries are deleted. The\r\nacceptable range of index entries is from 1 to\r\n65535.\r\nStep 5\r\nexit\r\nExample:\r\nRouter(config)# exit\r\nExits global configuration mode.\r\nStep 6\r\nshow crypto key mypubkey rsa\r\nExample:\r\nRouter# show crypto key mypubkey rsa\r\n(Optional) Displays the RSA public keys of your\r\nrouter.\r\nThis step allows you to verify that the RSA key pair\r\nhas been successfully generated.\r\nConfiguration Examples for RSA Key Pair Deployment\r\nGenerating and Specifying RSA Keys Example\r\nThe following example is a sample trustpoint configuration that shows how to generate and specify the RSA key pair\r\n“exampleCAkeys”:\r\ncrypto key generate rsa general-purpose exampleCAkeys\r\ncrypto ca trustpoint exampleCAkeys\r\n enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll\r\n rsakeypair exampleCAkeys 1024 1024\r\nExporting and Importing RSA Keys Examples\r\nExporting and Importing RSA Keys in PKCS12 Files Example\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 24 of 31\n\nIn the following example, an RSA key pair “mynewkp” is generated on Router A, and a trustpoint name “mynewtp” is\r\ncreated and associated with the RSA key pair. The trustpoint is exported to a TFTP server, so that it can be imported on\r\nRouter B. By importing the trustpoint “mynewtp” to Router B, the user has imported the RSA key pair “mynewkp” to\r\nRouter B.\r\nRouter A\r\ncrypto key generate rsa general label mykeys exportable\r\n! The name for the keys will be:mynewkp\r\nChoose the size of the key modulus in the range of 360 to 2048 for your\r\nGeneral Purpose Keys. Choosing a key modulus greater than 512 may take\r\na few minutes.\r\nHow many bits in the modulus [512]: 2048\r\n% Generating 2048 bit RSA keys ...[OK]\r\n!\r\ncrypto pki trustpoint mynewtp\r\n rsakeypair mykeys\r\n exit\r\ncrypto pki export mytp pkcs12 flash:myexport password mypassword123\r\nDestination filename [myexport]?\r\nWriting pkcs12 file to tftp:/mytftpserver/myexport\r\nCRYPTO_PKI:Exported PKCS12 file successfully.\r\nVerifying checksum... OK (0x3307)\r\n!\r\nJuly 8 17:30:09 GMT:%CRYPTO-6-PKCS12EXPORT_SUCCESS:PKCS #12 Successfully Exported.\r\nRouter B\r\ncrypto pki import mynewtp pkcs12 flash:myexport password mypassword123\r\nSource filename [myexport]?\r\nCRYPTO_PKI:Imported PKCS12 file successfully.\r\n!\r\nJuly 8 18:07:50 GMT:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.\r\nExporting and Importing and RSA Keys in PEM Files Example\r\nThe following example shows the generation, exportation, and importation fo the RSA key pair \"mytp\", and verifies its\r\nstatus:\r\n! Generate the key pair\r\n!\r\nRouter(config)# crypto key generate rsa general-purpose label mytp exportable\r\n \r\nThe name for the keys will be: mytp\r\nChoose the size of the key modulus in the range of 360 to 2048 for your\r\nGeneral Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.\r\nHow many bits in the modulus [512]: 2048\r\n% Generating 2048 bit RSA keys ...[OK]\r\n!\r\n! Archive the key pair to a remote location, and use a good password.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 25 of 31\n\n!\r\nRouter(config)# crypto pki export mytp pem url nvram:mytp 3des password mypassword123\r\n \r\n% Key name:mytp\r\nUsage:General Purpose Key\r\nExporting public key...\r\nDestination filename [mytp.pub]?\r\nWriting file to nvram:mytp.pub\r\nExporting private key...\r\nDestination filename [mytp.prv]?\r\nWriting file to nvram:mytp.prv\r\n!\r\n! Import the key as a different name.\r\n!\r\nRouter(config)# crypto pki import mytp2 pem url nvram:mytp2 password mypassword123\r\n \r\n% Importing public key or certificate PEM file...\r\nSource filename [mytp2.pub]?\r\nReading file from nvram:mytp2.pub\r\n% Importing private key PEM file...\r\nSource filename [mytp2.prv]?\r\nReading file from nvram:mytp2.prv% Key pair import succeeded.\r\n!\r\n! After the key has been imported, it is no longer exportable.\r\n!\r\n! Verify the status of the key.\r\n!\r\nRouter# show crypto key mypubkey rsa\r\n \r\n% Key pair was generated at:18:04:56 GMT Jun 6 2011\r\nKey name:mycs\r\nUsage:General Purpose Key\r\nKey is exportable.\r\nKey Data:\r\n30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E65253\r\n9C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CB\r\nA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79\r\nA1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486\r\nC9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001\r\n% Key pair was generated at:18:17:25 GMT Jun 6 2011\r\nKey name:mycs2\r\nUsage:General Purpose Key\r\nKey is not exportable.\r\nKey Data:\r\n30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E65253\r\n9C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CB\r\nA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79\r\nA1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486\r\nC9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001\r\nExporting Router RSA Key Pairs and Certificates from PEM Files Example\r\nThe following example shows how to generate and export the RSA key pair “aaa” and certificates of the router in PEM files\r\nthat are associated with the trustpoint “mycs.” This example also shows PEM-formatted files, which include PEM\r\nboundaries before and after the base64-encoded data, that are used by other SSL and SSH applications.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 26 of 31\n\nRouter(config)# crypto key generate rsa general-keys label aaa exportable\r\n \r\nThe name for the keys will be:aaa\r\nChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus great\r\n!\r\nHow many bits in the modulus [512]:\r\n% Generating 512 bit RSA keys ...[OK]\r\n!\r\nRouter(config)# crypto pki trustpoint mycs\r\n \r\nRouter(ca-trustpoint)# enrollment url http://mycs\r\n \r\nRouter(ca-trustpoint)#\r\nrsakeypair aaa\r\n \r\nRouter(ca-trustpoint)# exit\r\n \r\nRouter(config)# crypto pki authenticate mycs\r\n \r\nCertificate has the following attributes:\r\nFingerprint:C21514AC 12815946 09F635ED FBB6CF31\r\n% Do you accept this certificate? [yes/no]: y\r\nTrustpoint CA certificate accepted.\r\n!\r\nRouter(config)# crypto pki enroll mycs\r\n \r\n%\r\n% Start certificate enrollment ..\r\n% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke\r\nFor security reasons your password will not be saved in the configuration.\r\nPlease make a note of it.\r\nPassword:\r\nRe-enter password:\r\n% The fully-qualified domain name in the certificate will be: Router\r\n% The subject name in the certificate will be:host.example.com\r\n% Include the router serial number in the subject name? [yes/no]: n\r\n% Include an IP address in the subject name? [no]: n\r\nRequest certificate from CA? [yes/no]: y\r\n% Certificate request sent to Certificate Authority\r\n% The certificate request fingerprint will be displayed.\r\n% The 'show crypto ca certificate' command will also show the fingerprint.\r\nRouter(config)# Fingerprint:8DA777BC 08477073 A5BE2403 812DD157\r\n00:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority\r\nRouter(config)# crypto ca export aaa pem terminal 3des password\r\n \r\n% CA certificate:\r\n-----BEGIN CERTIFICATE-----\r\nMIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES\r\n\u003csnip\u003e\r\nwaDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn\r\n-----END CERTIFICATE-----\r\n% Key name:aaa\r\nUsage:General Purpose Key\r\n-----BEGIN RSA PRIVATE KEY-----\r\nProc-Type:4,ENCRYPTED\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 27 of 31\n\nDEK-Info:DES-EDE3-CBC,ED6B210B626BC81A\r\nUrguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87\r\n\u003csnip\u003e\r\nkLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4=\r\n-----END RSA PRIVATE KEY-----\r\n% Certificate:\r\n-----BEGIN CERTIFICATE-----\r\nMIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx\r\n\u003csnip\u003e\r\n6xlBaIsuMxnHmr89KkKkYlU6\r\n-----END CERTIFICATE-----\r\nImporting Router RSA Key Pairs and Certificate from PEM Files Example\r\nThe following example shows how to import the RSA key pairs and certificate to the trustpoint “ggg” from PEM files via\r\nTFTP:\r\nRouter(config)# crypto pki import ggg pem url tftp://10.1.1.2/username/msca password\r\n \r\n% Importing CA certificate...\r\nAddress or name of remote host [10.1.1.2]?\r\nDestination filename [username/msca.ca]?\r\nReading file from tftp://10.1.1.2/username/msca.ca\r\nLoading username/msca.ca from 10.1.1.2 (via Ethernet0):!\r\n[OK - 1082 bytes]\r\n% Importing private key PEM file...\r\nAddress or name of remote host [10.1.1.2]?\r\nDestination filename [username/msca.prv]?\r\nReading file from tftp://10.1.1.2/username/msca.prv\r\nLoading username/msca.prv from 10.1.1.2 (via Ethernet0):!\r\n[OK - 573 bytes]\r\n% Importing certificate PEM file...\r\nAddress or name of remote host [10.1.1.2]?\r\nDestination filename [username/msca.crt]?\r\nReading file from tftp://10.1.1.2/username/msca.crt\r\nLoading username/msca.crt from 10.1.1.2 (via Ethernet0):!\r\n[OK - 1289 bytes]\r\n% PEM files import succeeded.\r\nRouter(config)#\r\nEncrypting and Locking Private Keys on a Router Examples\r\nConfiguring and Verifying an Encrypted Key Example\r\nThe following example shows how to encrypt the RSA key “pki-123.example.com.” Thereafter, the show crypto key\r\nmypubkey rsa command is issued to verify that the RSA key is encrypted (protected) and unlocked.\r\nRouter(config)# crypto key encrypt rsa name pki-123.example.com passphrase password\r\nRouter(config)# exit\r\nRouter# show crypto key mypubkey rsa\r\n% Key pair was generated at:00:15:32 GMT Jun 25 2003\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 28 of 31\n\nKey name:pki-123.example.com\r\nUsage:General Purpose Key\r\n*** The key is protected and UNLOCKED. ***\r\nKey is not exportable.\r\nKey Data:\r\n305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C\r\nCD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC\r\n23C4D09E\r\n03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001\r\n% Key pair was generated at:00:15:33 GMT Jun 25 2003\r\nKey name:pki-123.example.com.server\r\nUsage:Encryption Key\r\nKey is exportable.\r\nKey Data:\r\n307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383\r\n854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757\r\n3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4\r\nDF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001\r\nRouter#\r\nConfiguring and Verifying a Locked Key Example\r\nThe following example shows how to lock the key “pki-123.example.com.” Thereafter, the show crypto key mypubkey rsa\r\ncommand is issued to verify that the key is protected (encrypted) and locked.\r\nRouter# crypto key lock rsa name pki-123.example.com passphrase password\r\n!\r\nRouter# show crypto key mypubkey rsa\r\n \r\n% Key pair was generated at:20:29:41 GMT Jun 20 2003\r\nKey name:pki-123.example.com\r\nUsage:General Purpose Key\r\n*** The key is protected and LOCKED. ***\r\nKey is exportable.\r\nKey Data:\r\n305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 29 of 31\n\n0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9F\r\nB6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001\r\nAdditional References\r\nRelated Documents\r\nRelated Topic Document Title\r\nOverview of PKI, including RSA keys, certificate enrollment, and CAs\r\nCisco IOS PKI Overview: Understanding\r\nand Planning a PKI\r\nPKI commands: complete command syntax, command mode, defaults,\r\nusage guidelines, and examples\r\nCisco IOS Security Command Reference\r\nRecommended cryptographic algorithms Next Generation Encryption\r\nMIBs\r\nMIBs MIBs Link\r\nNone\r\nTo locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB\r\nLocator found at the following URL:\r\nhttp://www.cisco.com/go/mibs\r\nRFCs\r\nRFCs Title\r\nRFC 2409 The Internet Key Exchange (IKE)\r\nRFC 2511 Internet X.509 Certificate Request Message Format\r\nTechnical Assistance\r\nDescription Link\r\nThe Cisco Support and Documentation website provides online\r\nresources to download documentation, software, and tools. Use\r\nhttp://www.cisco.com/cisco/web/support/index.html\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 30 of 31\n\nDescription Link\r\nthese resources to install and configure the software and to\r\ntroubleshoot and resolve technical issues with Cisco products\r\nand technologies. Access to most tools on the Cisco Support and\r\nDocumentation website requires a Cisco.com user ID and\r\npassword.\r\nFeature Information for Overview of Cisco TrustSec\r\nThe following table provides release information about the feature or features described in this module. This table lists only\r\nthe software release that introduced support for a given feature in a given software release train. Unless noted otherwise,\r\nsubsequent releases of that software release train also support that feature.\r\nUse Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco\r\nFeature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.\r\nTable 1. Feature Information for Overview of Cisco TrustSec\r\nFeature Name Releases Feature Information\r\nIPv6 enablement - Inline Tagging Cisco IOS XE Fuji 16.8.1 The support for IPv6 is introduced.\r\nBack to Top\r\nSource: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802\r\nD8-9DE3-447F-BECE-CF22F5E11436\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436\r\nPage 31 of 31\n\nRSA Public Key: Signature Algorithm: (2048 bit) SHA256 with RSA Encryption \nFingerprint MD5: CA92D937 593BF19A 5B7F8466 F554D631 \nFingerprint SHA1: 57A9D411 2DDFAC81 68260F2F C6C8D7CF 4833F3E9\nX509v3 extensions:   \nX509v3 Subject Key ID: 44340F76 A6B8DC37 80724650 0672875F 741D518C\nX509v3 Basic Constraints:   \n  Page 10 of 31",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436"
	],
	"report_names": [
		"sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434719,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dac79ebb959495639aae27f4af2245ee6f639e2a.pdf",
		"text": "https://archive.orkl.eu/dac79ebb959495639aae27f4af2245ee6f639e2a.txt",
		"img": "https://archive.orkl.eu/dac79ebb959495639aae27f4af2245ee6f639e2a.jpg"
	}
}