PKI

=Certificates=

Generate Self-Signed Certificate
To generate a certificate on the router simply create one! R1(config)#crypto key generate rsa The name for the keys will be: R1.ipexpert.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] The non-exportable option is very important for storage. If you do not want the keys to be exported from the router, then the above command is fine. If you want to be able to export the keys and use them for later or store them for whatever reason and import them into a different router you can use the following command: R1(config)#crypto key generate rsa exportable % You already have RSA keys defined named R1.blooblah.com. % Do you really want to replace them? [yes/no]: yes Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be exportable...[OK] It's asking me if I want to replace the key because I already have one, of course I do!

Generate Self-Signed for Specific Usage
Sometimes you'll want to use a certificate for a particular function on the router. In order to give ourselves a choice on which certificate we want to use, we give it a name. The following command creates a certificate with a name: crypto key generate rsa label MY_ROUTER_KEYS modulus 2048 exportable The name for the keys will be: MY_ROUTER_KEYS % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be exportable...[OK]

IOS Certificate Authority
Once the keys are made, make the router use the keys for its trustpoint as self. crypto pki trustpoint R1  rsakeypair MY_ROUTER_KEYS

Now that the router will use MY_ROUTER_KEYS for it's certificate, let the router assign that certificate out to other devices: crypto pki server R1 database archive pem password PEM_PASSWORD auto-rollover 30 grant auto no shutdown The database password is needed before rollover options. There are three ways to grant certs: auto, none and ra-auto. The certificate server is not active until you issue the 'no shutdown' command in cs-server mode: R1(cs-server)# no shutdown Certificate server 'no shut' event has been queued for processing. R1(cs-server)# %Some server settings cannot be changed after CA certificate generation. % Exporting Certificate Server signing certificate and keys...