Re: ASA SSH with diferent RSA Label

kehinde olugotun · ‎01-13-2019

Hello,

I am trying to review back my ssh config.

I tried to generate a set of crypto keys using a different label (not default)

#crypto key generate rsa label ADE modulus 1024 noconfirm

ssh doesnt seem to work until I use

#crypto key generate rsa general-keys modulus 1024 noconfirm

Can some help me confirm this assertion

Mohammed al Baqari · ‎01-13-2019

Hi,

ssh keys has to be general keys and they can be labeled as well. You can
use lable keyword with general keys.

If you don't specify general keys then they can be used for other purposes
ssh as csr generation and trust points for ssl certificates but not for
ssh.

Sheraz.Salim · ‎01-13-2019

just to add more what @Mohammed al Baqari said.

Before starting the enrollment process via the CLI, you must generate the RSA key pair with Crypto key generate rsa command.
To generate the keys, you must first configure a hostname and the domain name.

!
domain-name secure-x.local
crypto key gen rsa mod 1024
!
to verify your key you need show crypto key mypubkey rsa
!
crypto ca trustpoint CISCO
!
enrlloment url http://x.x.x.x/certsrv
fqdn secure-x.local
exit
!
crypto ca authenticate CISCO noconfirm
!
crypto ca enroll CISCO
!
so this above paragraph is for only if you installing certificate using the CLI.
--------------------------------------------------------------------------------
other way for SSH could be used as,

!
crypto key gen rsa
!
show crypto key mypuubkey rsa
!
ssh x.x.x.x x.x.x.x management
!
for SSH connection there is no default username or/and password. you must have to configure the aaa authentication ssh console command to enable aaa authentication.
!
show ssh session
ssh disconnect

please do not forget to rate.