Obtaining FIPS authorization key for C9300

fatcat · ‎05-23-2025

Hi all,

I am trying to enable FIPS mode for my Cisco C9300 switch that is currently running on 17.9.x. I happened to come across and follow the official documentation from Cisco. However, it asks for an authorization key with a specific length. May I know where I can get this authorization key? Do I have to generate it myself or is there any tool or generator?

Thank you!

Jens Albrecht · ‎05-23-2025

Hello @fatcat,

the authorization key must be generated by yourself which is just a 128-bit (16-byte) hexadecimal value.
You can either create it manually like '0123456789ABCDEF0123456789ABCDEF' or use a tool such as OpenSSL to create a 16-byte random key for you. There are also online random hex generators that you can use.

Please note that you must use the same key on each member, if you do this on a stack.

After configuring FIPS mode you have to reboot the switch/stack to activate FIPS operation.

HTH!

fatcat · ‎05-23-2025

Hello @Jens Albrecht ,

Thank you for your reply! So meaning to say I can manually type in my own key or use online generator to get it work?

Thanks!

Jens Albrecht · ‎05-24-2025

Hello @fatcat,

yes, you can do it either way.
The switch accepts any 16-byte hexadecimal value so the only requirement is the length of 32 hex characters.

Please note that the authorization key is not displayed in the config and the "show fips authorization-key" command will show the hashed value and not the plaintext key you entered.

HTH!