Re: Crypto Key RSA no longer supported

thomas-moffat · ‎11-13-2024

Hello,

I have configured a switch on ios 17.12.4 with the following command 'crypto key generate rsa general-keys modulus 2048.' Upon entering this command the following was output in the console:

crypto key generate rsa general-keys modulus 2048' is a hidden command. Use of this command is not recommended/supported and will be removed in future

Please can someone advise what command is replacing the above, we have roughly 2000 switches all soon to be upgraded to 17.12.4.

MHM Cisco World · ‎11-13-2024

the new device support up to 4096 but there is limitation also for this value

it better to open TAC and ask cisco about this point

MHM

Rob Ingram · ‎11-13-2024

@thomas-moffat Perhaps use Elliptic Curve instead - "crypto key generate ec keysize 256 label EC-KEY"

"From Cisco IOS XE Release 17.10, the minimum RSA key pair size must be 2048 bits."

"From Cisco IOS XE Release 17.11, if you want to continue using the weak RSA key, disable CSDL compliance on the device using the crypto engine compliance shield disable command, and reboot." https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-secure-shell-v2-0.html

BrianSekleckiGE · ‎11-21-2024

It seems that modern IOS-XE v17.15.x / v17.x.y gives this error when you specify an RSA modulus > 1024 bits.

Gaming_Bear · ‎02-17-2025

C9500・C9200Lの17.12.xで同じ問題に直面しました。
グローバルコンフィギュレーションモードではなく特権モードで実行しなければならないようです。
17.11.1.aからの仕様変更の可能性があります。

BSTの通りにしたら警告は出なくなりました。
Old Behavior: Router1(config)#crypto key generate rsa label KEYS modulus 2048
New Behavior: Lab-Router1#crypto key generate rsa label KEYS modulus 2048

コンフィギュレーションガイドにこの仕様変更情報が記載されていないことが問題ですね。

@thomas-moffat さんは書きました:

Hello,

I have configured a switch on ios 17.12.4 with the following command 'crypto key generate rsa general-keys modulus 2048.' Upon entering this command the following was output in the console:

crypto key generate rsa general-keys modulus 2048' is a hidden command. Use of this command is not recommended/supported and will be removed in future

Please can someone advise what command is replacing the above, we have roughly 2000 switches all soon to be upgraded to 17.12.4.

Cisco Bug: CSCwm08390 - Many "Crypto Key" commands trigger a PARSER-5-HIDDEN error when issued in global configuration mode

Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9500 Switches) - Secure Shell Version 2 Support [Cisco Catalyst 9500 Series Switches] - Cisco

Security Configuration Guide, Cisco IOS XE Dublin 17.12.x (Catalyst 9300 Switches) - Secure Shell Version 2 Support [Cisco Catalyst 9300 Series Switches] - Cisco

mario.jost · ‎04-04-2025

To give a conclusive answer as i was dealing with the same issue as well. There is a bug by cisco with the bug id: CSCwm08390

Link: https://bst.cisco.com/quickview/bug/CSCwm08390

Basically it boils down to following sentence:

As of 17.11.1.a, the default command mode for these commands changed from Global configuration (config) to Privileged EXEC (#).
Old Behavior: Router1(config)#crypto key generate rsa label KEYS modulus 2048
New Behavior: Router1#crypto key generate rsa label KEYS modulus 2048

When i execute the command outside of the config terminal mode, i dont get a warning message anymore.

Rob Miller · ‎04-11-2025

I've used mod 4096 for decades and am getting this same "hidden/deprecated" notification. With no info about what the new command is to use.