I hit this bug on 10.2.5. https://bst.cisco.com/bugsearch/bug/CSCvu10721
If the fix/workaround is to delete the RSA key and only have the ecdsa 521 key I should be able to enable fips mode without the RSA key right? I would fully expect to be able to enable fips mode with just he ecdsa 521 key.
TOR# show ssh key
**************************************
could not retrieve rsa key information
**************************************
could not retrieve dsa key information
**************************************
ecdsa Keys generated:Tue Apr 11 17:53:13 2023
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAF1Lubb+4v6TupuNfA6dUpvSNxYGfzgWi8Fyjua9OtFQCaTPKQ7+P8bn4yhKlGTvTrwufDnm/+0WWcmqL30ET3AzQCkfLKPFJCTYpJIYrPFmyFEgsbacYJgrXVTo1TIbeLFm6a0msl+zWiSrtViB4O4i8WNiblf1
OCx5ef44uAaXUmogA==
TOR(config)# fips mode enable
As per NIST requirements, the minimum RSA Key Size has to be 2048 in FIPS Mode
Generate RSA key with 2048 bits