11-20-2014 01:48 AM - edited 02-21-2020 05:20 AM
Hi
My 1801 router (IOS 15x) is using the original self signed certificate (1024) with an signature algorithm MD5. I would like to change the cert to a 2048 key length , with a hash of SHA1 or better but I'm unsure how to do this.
Should I just generate new keys or would I be better creating a new self-signed cert? What is the procedure & explicit commands (CLI) to do this?
Many thanks in advance.
Regards
Bob
11-20-2014 07:52 AM
Remove the old certificate and RSA key.
Create a new RSA key with modulus 2048. Then a new certificate - it will use the new stronger private key you just created.
no crypto pki trustpoint <existing certificate name>
crypto key zeroize rsa
crypto key generate rsa modulus 2048 label <name for new rsa key>
ip http secure-server
(The last command will automatically generate a new self-signed certificate.)
11-20-2014 11:33 PM
Hi Marvin
Thank you for reply. I would like to clarify one point, I use the cert for ssh connections to router & don't want to enable secure-server (as I don't use this service) on the router. Is there another command to create a new certificate without enabling/disabling secure-server.
Regards
Bob
11-24-2014 05:47 AM
Sure, the secure-server is the quickest and easiest method but you can create the new key, define the trustpoint manually and enroll the certificate that way.
Below are the commands. (You can of course call the key, trustpoint, O and CN values whatever locally significant names make sense for you.)
router(config)#crypto key generate rsa label router-rsa modulus 2048 The name for the keys will be: router-rsa % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 10 seconds) router(config)#
router(config)#crypto pki trustpoint router-ca router(ca-trustpoint)#enrollment selfsigned router(ca-trustpoint)#subject-name O=Test,CN=www.router.com router(ca-trustpoint)#rsakeypair router-rsa
router(config)#crypto pki enroll router-ca % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created router(config)#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide