cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1606
Views
10
Helpful
5
Replies

Best type of RSA Keys to configure?

CiscoBrownBelt
Level 6
Level 6

I was thinking of configuring RSA using the label-key syntex so I don't have to configure a domain name. Should you really configure them to be exportable? Basically just trying to understand better the options explained in Cisco Docs with keeping good security in mind.

 

1 Accepted Solution

Accepted Solutions

Hi,

 

    Non-exportable means protected in the way that it can't be exported and it can't be found/viualized via any command, or copied over.

 

Regards,

Cristian Matei.

View solution in original post

5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    The keys should be left as default, non-exportable, unless you have to (from a technical reason) export it, like would be the case of GETVPN COOP, one example that came in my mind now. Otherwise, if you're creating the RSA keys for SSH access for example, you should leave the keys non-exportable and protected by IOS. In the end, the non-export option means non-disclosing the private key.

 

Regards,

Cristian Matei.

when you say protected by the IOS, are you referring to other applicable configs to use in conjuntion with SSH access such as perhaps a vty access-list or something?

Hi,

 

    Non-exportable means protected in the way that it can't be exported and it can't be found/viualized via any command, or copied over.

 

Regards,

Cristian Matei.

Thanks! Yes makes sense! In what scenarios would someone want the exportable?

Hi,

 

   One such quick example would be GETVPN COOP.

 

Regards,

Cristian Matei.

Review Cisco Networking for a $25 gift card