Solved: Best type of RSA Keys to configure?

CiscoBrownBelt · ‎03-23-2020

I was thinking of configuring RSA using the label-key syntex so I don't have to configure a domain name. Should you really configure them to be exportable? Basically just trying to understand better the options explained in Cisco Docs with keeping good security in mind.

Cristian Matei · ‎03-24-2020

Hi,

Non-exportable means protected in the way that it can't be exported and it can't be found/viualized via any command, or copied over.

Regards,

Cristian Matei.

View solution in original post

Cristian Matei · ‎03-23-2020

Hi,

The keys should be left as default, non-exportable, unless you have to (from a technical reason) export it, like would be the case of GETVPN COOP, one example that came in my mind now. Otherwise, if you're creating the RSA keys for SSH access for example, you should leave the keys non-exportable and protected by IOS. In the end, the non-export option means non-disclosing the private key.

Regards,

Cristian Matei.

CiscoBrownBelt · ‎03-23-2020

when you say protected by the IOS, are you referring to other applicable configs to use in conjuntion with SSH access such as perhaps a vty access-list or something?

Cristian Matei · ‎03-24-2020

Hi,

Non-exportable means protected in the way that it can't be exported and it can't be found/viualized via any command, or copied over.

Regards,

Cristian Matei.

CiscoBrownBelt · ‎03-25-2020

Thanks! Yes makes sense! In what scenarios would someone want the exportable?

Cristian Matei · ‎03-27-2020

Hi,

One such quick example would be GETVPN COOP.

Regards,

Cristian Matei.