cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
527
Views
1
Helpful
3
Replies

Crypto Key RSA no longer supported

thomas-moffat
Level 1
Level 1

Hello,

I have configured a switch on ios 17.12.4 with the following command 'crypto key generate rsa general-keys modulus 2048.' Upon entering this command the following was output in the console:

crypto key generate rsa general-keys modulus 2048' is a hidden command. Use of this command is not recommended/supported and will be removed in future

Please can someone advise what command is replacing the above, we have roughly 2000 switches all soon to be upgraded to 17.12.4.

3 Replies 3

the new device support up to 4096 but there is limitation also for this value

it better to open TAC and ask cisco about this point 

MHM

@thomas-moffat Perhaps use Elliptic Curve instead - "crypto key generate ec keysize 256 label EC-KEY"

"From Cisco IOS XE Release 17.10, the minimum RSA key pair size must be 2048 bits."

"From Cisco IOS XE Release 17.11, if you want to continue using the weak RSA key, disable CSDL compliance on the device using the crypto engine compliance shield disable command, and reboot." https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-secure-shell-v2-0.html

 

 

BrianSekleckiGE
Level 1
Level 1

It seems that modern IOS-XE v17.15.x / v17.x.y gives this error when you specify an RSA modulus > 1024 bits.

 

Review Cisco Networking for a $25 gift card