Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3527
Views
0
Helpful
6
Replies

Generate public RSA key of 4096-bits on IOS router?

snyggsomfan
Level 1
Level 1

‎09-01-2011 01:14 PM

Hi everybody,

Is it possible to generate a public RSA key of 4096-bits on an IOS router? We are running 12.4(24)T5. Have been going through some cisco doc and found this:

Cisco IOS 4096-Bit Public Key Support in IOS 12.4(11) and later.

However when I issue the command,

crypto ca trustpoint exampleCAkeys

   rsakeypair exampleCAkeys ?

it only shows me the maximum of 2048. Am I missing something? Currently our root cert has a public key of 2048 and the routers a key of 1024. The goal is to increase the root cert and our routers cert to 4096-bits. If that's possible...

/K

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎09-01-2011 01:25 PM

From Cisco~

Peer public RSA key modulus values up to 4096 bits are automatically supported.

The largest private RSA key modulus is 4096 bits. Therefore, the largest RSA private key a router may generate or import is 4096 bits. However, RFC 2409 restricts the private key size to 2048 bits or less for RSA encryption.

The recommended modulus value for a CA is 2048 bits; the recommended modulus value for a client is 1024 bits.

0 Helpful

snyggsomfan
Level 1
Level 1
In response to Collin Clark

‎09-01-2011 03:14 PM

OK, so does this mean that I cannot generate a private key of 4096 bits?

Can I import a root ca of 4096 bits?

/K

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to snyggsomfan

‎09-02-2011 05:37 AM 

Patrik Karlsson wrote:
 OK, so does this mean that I cannot generate a private key of 4096 bits?
Can I import a root ca of 4096 bits?
/K

You can only generate a key of 2048, but you can import a key with 4096.

0 Helpful

snyggsomfan
Level 1
Level 1
In response to Collin Clark

‎09-02-2011 07:04 AM

OK, just upgraded to IOS 15.1 and now I have the option to generate keys of 4096 bits.

/K

0 Helpful

snyggsomfan
Level 1
Level 1
In response to snyggsomfan

‎09-02-2011 07:12 AM

By the way... according to Cisco's feature navigator - in order to support "Cisco IOS 4096-Bit Public Key Support" I need to be running at least IOS 12.4(11)T. However I've managed to import a root cert of 4096 bits on IOS 12.4(9)T. Am I missing something?

/K

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to snyggsomfan

‎09-02-2011 07:17 AM

Generating a key in IOS is/was limited to 2048 which is limited by the RFC. However the CA can ignore the RFC can generate a 4096 key. The router supports the key since it did not have to generate it. Holding the key is much different than generating the key.

0 Helpful
Customers Also Viewed These Support Documents