Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2927
Views
2
Helpful
3
Replies

Self- Signed Certificate - Change RSA Public Key & Signature Algorithim

ms4561
Level 1
Level 1

‎11-20-2014 01:48 AM - edited ‎02-21-2020 05:20 AM

Hi

 

My 1801 router (IOS 15x) is using the original self signed certificate (1024) with an signature algorithm MD5. I would like to change the cert to a 2048 key length , with a hash of SHA1 or better but I'm unsure how to do this.

Should I just generate new keys or would I be better creating a new self-signed cert?  What is the procedure & explicit commands (CLI) to do this?

 

 

Many thanks in advance.

 

 

Regards

 

Bob

 

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-20-2014 07:52 AM

Remove the old certificate and RSA key.

Create a new RSA key with modulus 2048. Then a new certificate - it will use the new stronger private key you just created.

no crypto pki trustpoint <existing certificate name>
crypto key zeroize rsa
crypto key generate rsa modulus 2048 label <name for new rsa key>
ip http secure-server

(The last command will automatically generate a new self-signed certificate.)

0 Helpful

ms4561
Level 1
Level 1
In response to Marvin Rhoads

‎11-20-2014 11:33 PM

Hi Marvin

 

Thank you for reply. I would like to clarify one point, I use the cert for ssh connections to router & don't  want to enable secure-server (as I don't use this service) on the router. Is there another command to create a new certificate without enabling/disabling secure-server.

 

Regards

 

Bob

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ms4561

‎11-24-2014 05:47 AM

Sure, the secure-server is the quickest and easiest method but you can create the new key, define the trustpoint manually and enroll the certificate that way.

Below are the commands. (You can of course call the key, trustpoint, O and CN values whatever locally significant names make sense for you.)

router(config)#crypto key generate rsa label router-rsa modulus 2048
The name for the keys will be: router-rsa

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 10 seconds)

router(config)#
router(config)#crypto pki trustpoint router-ca
router(ca-trustpoint)#enrollment selfsigned
router(ca-trustpoint)#subject-name O=Test,CN=www.router.com
router(ca-trustpoint)#rsakeypair router-rsa
router(config)#crypto pki enroll router-ca
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

router(config)#
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card