cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
0
Helpful
1
Replies
Highlighted
Beginner

PKI configuration not working for Elliptic curve

Hi,

 

I am using a Cisco ISR 1111-8P running 16.8.1 and am trying to build an elliptic curve self-signed cert to use for an IPSec tunnel. The commands I usually use to do this with RSA and which work on this box are:

 

dev(config)#crypto key generate rsa label testtest modulus 2048
The name for the keys will be: testtest
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

dev(config)#crypto pki trustpoint  my-testtest
dev(ca-trustpoint)#enrollment selfsigned
dev(ca-trustpoint)#subject-name O=Test, CN=testtest
dev(ca-trustpoint)#rsakeypair testtest

dev(ca-trustpoint)#crypto pki enroll my-testtest
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
 
So I know that RSA works, although this client wants elliptic curve. So I double check the syntax and create it the same way. However, when I do this for generating an elliptic curve, I got a fail statement. The commands run are
 
dev(config)#crypto key generate ec keysize 256 exportable label newTestTest
The name for the keys will be: newTestTest
 EC key pair created successfully
dev(config)#crypto pki trustpoint my-newTestTest
dev(ca-trustpoint)#enrollment selfsigned
dev(ca-trustpoint)#subject-name O=Test, CN=newTestTest
dev(ca-trustpoint)#eckeypair newTestTest
dev(ca-trustpoint)#exit
dev(config)#crypto pki enroll my-newTestTest
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL
 
Is there a magic ingredient I am forgetting or is it just that it doesn't work? Cisco say they support elliptic curve since 16.6.2
1 REPLY 1
Highlighted
Beginner

Maybe the reason is the keysize?