https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5261318#M1119592 <P>C9500・C9200Lの17.12.xで同じ問題に直面しました。<BR />グローバルコンフィギュレーションモードではなく特権モードで実行しなければならないようです。<BR /><SPAN>17.11.1.aからの</SPAN>仕様変更の可能性があります。</P> <P>BSTの通りにしたら警告は出なくなりました。<BR /><SPAN>Old Behavior: Router1(config)#crypto key generate rsa label KEYS modulus 2048<BR />New Behavior: Lab-Router1#crypto key generate rsa label KEYS modulus 2048</SPAN></P> <P><SPAN>コンフィギュレーションガイドにこの仕様変更情報が記載されていないことが問題ですね。</SPAN></P> <P>&nbsp;</P> <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1812299">@thomas-moffat</a>&nbsp;さんは書きました:<BR /> <P>Hello,</P> <P>I have configured a switch on ios 17.12.4 with the following command '<SPAN>crypto </SPAN><SPAN>key generate rsa general-keys modulus 2048.' Upon entering this command the following was output in the console:</SPAN></P> <P><EM>crypto key generate rsa general-keys modulus 2048' is a hidden command. Use of this command is not recommended/supported and will be removed in future</EM></P> <P>Please can someone advise what command is replacing the above, we have roughly 2000 switches all soon to be upgraded to 17.12.4.</P> <HR /></BLOCKQUOTE> <P><BR /><BR /><BR /><A href="https://bst.cisco.com/quickview/bug/CSCwm08390" target="_blank" rel="noopener">Cisco Bug: CSCwm08390 - Many "Crypto Key" commands trigger a PARSER-5-HIDDEN error when issued in global configuration mode</A><BR /><BR /></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-12/configuration_guide/sec/b_1712_sec_9500_cg/secure_shell_version_2_support.html#configuration_examples_for_secure_shell_version_2_support" target="_blank">Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9500 Switches) - Secure Shell Version 2 Support [Cisco Catalyst 9500 Series Switches] - Cisco</A><BR /><BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-12/configuration_guide/sec/b_1712_sec_9300_cg/secure_shell_version_2_support.html#g_how_to_configure_ssh_v2" target="_blank">Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9300 Switches) - Secure Shell Version 2 Support [Cisco Catalyst 9300 Series Switches] - Cisco</A></P> Mon, 17 Feb 2025 10:19:11 GMT Gaming_Bear 2025-02-17T10:19:11Z https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5223829#M1117536 <P>Hello,</P><P>I have configured a switch on ios 17.12.4 with the following command '<SPAN>crypto </SPAN><SPAN>key generate rsa general-keys modulus 2048.' Upon entering this command the following was output in the console:</SPAN></P><P><EM>crypto key generate rsa general-keys modulus 2048' is a hidden command. Use of this command is not recommended/supported and will be removed in future</EM></P><P>Please can someone advise what command is replacing the above, we have roughly 2000 switches all soon to be upgraded to 17.12.4.</P> Wed, 13 Nov 2024 15:51:05 GMT https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5223829#M1117536 thomas-moffat 2024-11-13T15:51:05Z https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5223835#M1117537 <P>the new device support up to 4096 but there is limitation also for this value</P> <P>it better to open TAC and ask cisco about this point&nbsp;</P> <P>MHM</P> Wed, 13 Nov 2024 16:07:02 GMT https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5223835#M1117537 MHM Cisco World 2024-11-13T16:07:02Z https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5223890#M1117538 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1812299">@thomas-moffat</a>&nbsp;Perhaps use Elliptic Curve instead - "crypto key generate ec keysize 256 label EC-KEY"</P> <P>"From Cisco IOS XE Release 17.10, the minimum RSA key pair size must be 2048 bits."</P> <P>"From Cisco IOS XE Release 17.11, if you want to continue using the weak RSA key, disable CSDL compliance on the device using the<STRONG> <SPAN class="keyword kwd">crypto</SPAN> <SPAN class="keyword kwd">engine</SPAN> <SPAN class="keyword kwd">compliance</SPAN> <SPAN class="keyword kwd">shield</SPAN> <SPAN class="keyword kwd">disable</SPAN> </STRONG> command, and reboot." <A href="https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-secure-shell-v2-0.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-secure-shell-v2-0.html</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 13 Nov 2024 18:36:22 GMT https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5223890#M1117538 Rob Ingram 2024-11-13T18:36:22Z https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5227272#M1117723 <P>It seems that modern IOS-XE v17.15.x / v17.x.y <STRONG>gives this error</STRONG> <U>when you specify</U> an RSA modulus <U><STRONG>&gt;</STRONG></U> 1024 bits.</P><P>&nbsp;</P> Thu, 21 Nov 2024 14:27:03 GMT https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5227272#M1117723 BrianSekleckiGE 2024-11-21T14:27:03Z https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5261318#M1119592 <P>C9500・C9200Lの17.12.xで同じ問題に直面しました。<BR />グローバルコンフィギュレーションモードではなく特権モードで実行しなければならないようです。<BR /><SPAN>17.11.1.aからの</SPAN>仕様変更の可能性があります。</P> <P>BSTの通りにしたら警告は出なくなりました。<BR /><SPAN>Old Behavior: Router1(config)#crypto key generate rsa label KEYS modulus 2048<BR />New Behavior: Lab-Router1#crypto key generate rsa label KEYS modulus 2048</SPAN></P> <P><SPAN>コンフィギュレーションガイドにこの仕様変更情報が記載されていないことが問題ですね。</SPAN></P> <P>&nbsp;</P> <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1812299">@thomas-moffat</a>&nbsp;さんは書きました:<BR /> <P>Hello,</P> <P>I have configured a switch on ios 17.12.4 with the following command '<SPAN>crypto </SPAN><SPAN>key generate rsa general-keys modulus 2048.' Upon entering this command the following was output in the console:</SPAN></P> <P><EM>crypto key generate rsa general-keys modulus 2048' is a hidden command. Use of this command is not recommended/supported and will be removed in future</EM></P> <P>Please can someone advise what command is replacing the above, we have roughly 2000 switches all soon to be upgraded to 17.12.4.</P> <HR /></BLOCKQUOTE> <P><BR /><BR /><BR /><A href="https://bst.cisco.com/quickview/bug/CSCwm08390" target="_blank" rel="noopener">Cisco Bug: CSCwm08390 - Many "Crypto Key" commands trigger a PARSER-5-HIDDEN error when issued in global configuration mode</A><BR /><BR /></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-12/configuration_guide/sec/b_1712_sec_9500_cg/secure_shell_version_2_support.html#configuration_examples_for_secure_shell_version_2_support" target="_blank">Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9500 Switches) - Secure Shell Version 2 Support [Cisco Catalyst 9500 Series Switches] - Cisco</A><BR /><BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-12/configuration_guide/sec/b_1712_sec_9300_cg/secure_shell_version_2_support.html#g_how_to_configure_ssh_v2" target="_blank">Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9300 Switches) - Secure Shell Version 2 Support [Cisco Catalyst 9300 Series Switches] - Cisco</A></P> Mon, 17 Feb 2025 10:19:11 GMT https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5261318#M1119592 Gaming_Bear 2025-02-17T10:19:11Z https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5278274#M1120462 <P>To give a conclusive answer as i was dealing with the same issue as well. There is a bug by cisco with the bug id:&nbsp;CSCwm08390</P><P>Link:&nbsp;<A href="https://bst.cisco.com/quickview/bug/CSCwm08390" target="_blank" rel="noopener">https://bst.cisco.com/quickview/bug/CSCwm08390</A></P><P>Basically it boils down to following sentence:</P><P><SPAN>As of 17.11.1.a, the default command mode for these commands changed from Global configuration (config) to Privileged EXEC (#).<BR />Old Behavior: Router1(config)#crypto key generate rsa label KEYS modulus 2048<BR />New Behavior: Router1#crypto key generate rsa label KEYS modulus 2048</SPAN></P><P><SPAN>When i execute the command outside of the config terminal mode, i dont get a warning message anymore.</SPAN></P> Fri, 04 Apr 2025 09:16:21 GMT https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5278274#M1120462 mario.jost 2025-04-04T09:16:21Z https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5280710#M1120582 <P>I've used mod 4096 for decades and am getting this same "hidden/deprecated" notification. &nbsp;With no info about what the new command is to use.</P> Fri, 11 Apr 2025 18:54:39 GMT https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5280710#M1120582 Rob Miller 2025-04-11T18:54:39Z https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5336905#M1123092 <P>Thanks for clarifying! Again a message is misleading to weak crypto instead of the command having been moved.</P><P>This is the most stupid CLI change unloaded to long standing admins I can imagine. I see my future self adding another conditional into my m4 based configuration templates once this becomes mandatory, and I need to differ between the former and the "new" way.</P> Wed, 08 Oct 2025 13:01:51 GMT https://community.cisco.com/t5/network-security/crypto-key-rsa-no-longer-supported/m-p/5336905#M1123092 Mathias Peter IT 2025-10-08T13:01:51Z