11-13-2024 07:51 AM
Hello,
I have configured a switch on ios 17.12.4 with the following command 'crypto key generate rsa general-keys modulus 2048.' Upon entering this command the following was output in the console:
crypto key generate rsa general-keys modulus 2048' is a hidden command. Use of this command is not recommended/supported and will be removed in future
Please can someone advise what command is replacing the above, we have roughly 2000 switches all soon to be upgraded to 17.12.4.
11-13-2024 08:07 AM
the new device support up to 4096 but there is limitation also for this value
it better to open TAC and ask cisco about this point
MHM
11-13-2024 10:36 AM
@thomas-moffat Perhaps use Elliptic Curve instead - "crypto key generate ec keysize 256 label EC-KEY"
"From Cisco IOS XE Release 17.10, the minimum RSA key pair size must be 2048 bits."
"From Cisco IOS XE Release 17.11, if you want to continue using the weak RSA key, disable CSDL compliance on the device using the crypto engine compliance shield disable command, and reboot." https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-secure-shell-v2-0.html
11-21-2024 06:27 AM
It seems that modern IOS-XE v17.15.x / v17.x.y gives this error when you specify an RSA modulus > 1024 bits.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide