Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1406
Views
1
Helpful
7
Replies

Cisco 9300 CISCO_IDEVID_CMCA_SUDI weak RSA Key

mtoro82
Level 1
Level 1

‎02-06-2025 10:31 AM

Hello I am getting several errors in the log for a weak RSA key

the error as shown is %CRYPTO_ENGINE-4-CSDL_COMPLIANCE_RSA_WEAK_KEYS: RSA keypair CISCO_IDEVID_CMCA_SUDI is in violation of Cisco security compliance guidelines and will be rejected.

When checking I do see CISCO_IDEVID_CMCA_SUDI is 1024 bit but I am unable to regenerate so it can be in compliance. Is there a workaround for this?

I am currently running Cisco IOS XE Software, Version 17.15.01 and is dna-essential smart license.

 

 

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Flavio Miranda
VIP
VIP

‎02-06-2025 11:27 AM

@mtoro82 

 Why you unable to regenerate it?  you can not run the command 'crypto key generate rsa' ? 

0 Helpful

mtoro82
Level 1
Level 1
In response to Flavio Miranda

‎02-06-2025 12:00 PM

@Flavio Miranda 

When I run 'crypto key generate rsa label CISCO_IDEVID_CMCA_SUDI modulus 2048' I get a '% The key name requested CISCO_IDEVID_CMCA_SUDI is reserved'.

All my others keys are in compliance except this CISCO_IDEVID_CMCA_SUDI

0 Helpful

Flavio Miranda
VIP
VIP
In response to mtoro82

‎02-06-2025 12:05 PM

I dont follow you, sorry. If the name is taken or reserved why dont you change the label, or, why you dont run the command 'crypto key generate rsa' only?

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎02-06-2025 12:08 PM

I believe those SUDI keys can only be set in manufacturing.  A bug (CSCwm74317) is fixed in 17.15.2 that suppresses the recurring nature of the error, only printing it the first time.  I can't find anything that says these errors can cause a noticeable impact to the switch.

 

mtoro82
Level 1
Level 1
In response to Preston Chilcote

‎02-06-2025 12:40 PM - edited ‎02-06-2025 12:41 PM

@Preston Chilcote 

I figured it a bug and it not something to worry about. It just annoying to see it on the logs. I will probably try to update it to 17.15.2 or wait until a fix is out.

0 Helpful

Garry Cross
Level 1
Level 1

‎03-03-2025 10:36 AM

And it is a waste of peoples time when this error appears and you try to fix it, only to find out you can't zeroize it. There isn't any message. And if you try to change it as above, only then you find out if it is reserved. Cisco; stop generating messages for things a person can do nothing about.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Garry Cross

‎03-03-2025 03:23 PM

The Bug ID says that a logging discriminator can be used to suppress the infernal logs.

0 Helpful
Customers Also Viewed These Support Documents