crypto key generate rsa signature command

googleboy · ‎08-01-2020

Hi,

Can someone explain to me how does a router use the RSA signature key generated by the following command:

crypto key generate rsa signature

The command generates only one key as shown by the show crypto key mypubkey all command.

Does the router use this key to sign messages or certificates sent to remote peers?

Does the router sends this key to remote peers? If so, do remote peers use this key to send signed messages to the router?

In what context is this type of key used? IPsec? Diffie Hellman? IKE?

Please help me understand how this key is used.

Marvin Rhoads · ‎08-01-2020

The key is used in securing ssh sessions. If the device also uses s a self-signed certificate the key may be used as the private key for the certificate (or you can optionally create and specify a separate key for use with your certificate). A device's certificate can be used for IKEv2 IPsec or for SSL/TLS sessions to the device's web UI (where such exists and is enabled).

Mohammed al Baqari · ‎08-02-2020

Hi,

@marvin gave you a very good explanation on the key. Just a small comment
on your command, the key word *signature* (at the end of the line) will
generate a key to be used for signing purpose only. It won't be used for
encrypting IKE VPN or WebUI. For a multi purpose key, you need to specify
the keyword *general-purpose* instead.

The key isn't sent to any peer. Instead it's used to sign messages (HMAC
hashing), signing certificates, etc. This is the concept of PKI that a
private key isn't sent. Only the public key in the certificate is
published.

You can read this.

https://www.digicert.com/blog/where-is-your-private-key/

**** please remember to rate useful posts

Marvin Rhoads · ‎08-02-2020

Ah thanks @Mohammed al Baqari for making that important distinction with the "signature" keyword.

googleboy · ‎08-02-2020

Thank you @Mohammed al Baqari for taking the time to try to answer my questions.

although I already know that the private key (not the public key) is used for signing a message or a certificate, I am surprised to know that this command produces a private key and not a public key. The reason for my confusion is the Cisco Command Reference Explanation! See the snapshot of it below!

I tend to think of it as a private key, as you said. The question now is how a peer receiving a message or a certificate, signed by this key, verify the integrity of the received message or certificate without the corresponding public key that is used to decrypt the signature?

The command generates only one key that is used for signature! Where is the corresponding public key?

Mohammed al Baqari · ‎08-02-2020

Hi,

The command generate both public and private key (keypair). To answer your
question, it depends on the use case. For example if you use IPsec
certificate authentication, the peers exchange their certs which include
the public key in messages 4 and 5 of Main Mode (IKEV1). This helps to
verify signatures. For webUI, the cert will be presented to the browser,
etc.

All subject to use case.

**** please remember to rate useful posts

googleboy · ‎08-05-2020

Thank you Mohammed.
Things are clear now. What caused the confusion is that I did not notice that the show crypto key mypubkey all command shows only the public keys. Corresponding private keys are not shown.

@Mohammed al Baqari wrote:
Hi,

The command generate both public and private key (keypair). To answer your
question, it depends on the use case. For example if you use IPsec
certificate authentication, the peers exchange their certs which include
the public key in messages 4 and 5 of Main Mode (IKEV1). This helps to
verify signatures. For webUI, the cert will be presented to the browser,
etc.

All subject to use case.

**** please remember to rate useful posts

Mohammed al Baqari · ‎08-05-2020

G8. Please remember to rate useful posts and mark the question as answered.