How to Set Up and Deploy RSA Keys Within a PKI (Cisco IOS)

How to Set Up and Deploy RSA Keys Within a PKI

• Generating an RSA Key Pair
• Managing RSA Key Pairs and Trustpoint Certificates
• Exporting and Importing RSA Keys
• Encrypting and Locking Private Keys on a Router
• Removing RSA Key Pair Settings

Generating an RSA Key Pair

Perform this task to manually generate an RSA key pair.

SUMMARY STEPS

1.    enable 
2.    configure terminal 
3.    crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:] [ondevicename:] 
4.    exit 
5.    show crypto key mypubkey rsa 

Managing RSA Key Pairs and Trustpoint Certificates

Perform this task to configure the router to generate and store multiple RSA key pairs, associate the key pairs with a trustpoint, and get the certificates for the router from the trustpoint.

Before You Begin

You must have already generated an RSA key pair as shown in the task “Generating an RSA Key Pair task.”

SUMMARY STEPS

1.    enable 
2.    configure terminal 
3.    crypto pki trustpoint name 
4.    rsakeypair key-label [key-size [encryption-key-size]] 
5.    enrollment selfsigned 
6.    subject-alt-name name 
7.    exit 
8.    cypto pki enroll name 
9.    exit 
10.    show crypto key mypubkey rsa 

Exporting and Importing RSA Keys

This section contains the following tasks that can be used for exporting and importing RSA keys. Whether you are using PKCS12 files or PEM files, exportable RSA keys allow you to use existing RSA keys on Cisco IOS routers instead of having to generate new RSA keys if the main router were to fail.

• Exporting and Importing RSA Keys in PKCS12 Files
• Exporting and Importing RSA Keys in PEM-Formatted Files

Exporting and Importing RSA Keys in PKCS12 Files

Exporting and importing RSA key pairs enables users to transfer security credentials between devices. The key pair that is shared between two devices allows one device to immediately and transparently take over the functionality of the other router.

Before You Begin

You must generate an RSA key pair and mark it “exportable” as specified in the “Generating an RSA Key Pair” task.

Note

You cannot export RSA keys that existed on the router before your system was upgraded to Cisco IOS Release 12.2(15)T or later. You have to generate new RSA keys and label them as “exportable” after you upgrade the Cisco IOS software.  When you import a PKCS12 file that was generated by a third-party application, the PKCS12 file must include a CA certificate.  If you want reexport an RSA key pair after you have already exported the key pair and imported them to a target router, you must specify the exportable keyword when you are importing the RSA key pair.  The largest RSA key a router may import is 2048-bits. >

SUMMARY STEPS

1.    crypto pki trustpoint name 
2.    rsakeypair key-label [key-size [encryption-key-size]] 
3.    exit 
4.    crypto pki export trustpointname pkcs12 destination-url password password-phrase 
5.    crypto pki import trustpointname pkcs12 source-url password password-phrase 
6.    exit 
7.    show crypto key mypubkey rsa 

Exporting and Importing RSA Keys in PEM-Formatted Files

Perform this task to export or import RSA key pairs in PEM files.

Before You Begin

You must generate an RSA key pair and mark it “exportable” as specified the “Generating an RSA Key Pair” task.

Note	You cannot export and import RSA keys that were generated without an exportable flag before your system was upgraded to Cisco IOS Release 12.3(4)T or a later release. You have to generate new RSA keys after you upgrade the Cisco IOS software.  The largest RSA key a router may import is 2048 bits.

Note	Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.

SUMMARY STEPS

1.    crypto key generate rsa {usage-keys | general-keys} label key-label [exportable] 
2.    crypto pki export trustpoint pem {terminal | url destination-url} {3des | des} password password-phrase 
3.    crypto pki import trustpoint pem [check | exportable | usage-keys] {terminal | url source-url} passwordpassword-phrase 
4.    exit 
5.    show crypto key mypubkey rsa 

Encrypting and Locking Private Keys on a Router

Digital signatures are used to authenticate one device to another device. To use digital signatures, private information (the private key) must be stored on the device that is providing the signature. The stored private information may aid an attacker who steals the hardware device that contains the private key; for example, a thief might be able to use the stolen router to initiate a secure connection to another site by using the RSA private keys stored in the router.

Note	RSA keys are lost during password recovery operations. If you lose your password, the RSA keys will be deleted when you perform the password recovery operation. (This function prevents an attacker from performing password recovery and then using the keys.)

To protect the private RSA key from an attacker, a user can encrypt the private key that is stored in NVRAM via a passphrase. Users can also “lock” the private key, which blocks new connection attempts from a running router and protects the key in the router if the router is stolen by an attempted attacker.

Perform this task to encrypt and lock the private key that is saved to NVRAM.

Note	The RSA keys must be unlocked while enrolling the CA. The keys can be locked while authenticating the router with the CA because the private key of the router is not used during authentication.

Before You Begin

Before encrypting or locking a private key, you should perform the following tasks:

• Generate an RSA key pair as shown in the task “Generating an RSA Key Pair.”
• Optionally, you can authenticate and enroll each router with the CA server.

Note

Backward Compatibility Restriction Any image prior to Cisco IOS Release 12.3(7)T does not support encrypted keys. To prevent your router from losing all encrypted keys, ensure that only unencrypted keys are written to NVRAM before booting an image prior to Cisco IOS Release 12.3(7)T. If you must download an image prior to Cisco IOS Release 12.3(7)T, decrypt the key and immediately save the configuration so the downloaded image does not overwrite the configuration. Interaction with Applications An encrypted key is not effective after the router boots up until you manually unlock the key (via the crypto key unlock rsa command). Depending on which key pairs are encrypted, this functionality may adversely affect applications such as IP security (IPsec), SSH, and SSL; that is, management of the router over a secure channel may not be possible until the necessary key pair is unlocked. >

SUMMARY STEPS

1.    crypto key encrypt [write] rsa [name key-name] passphrase passphrase
2.    exit 
3.    show crypto key mypubkey rsa 
4.    crypto key lock rsa name key-name ] passphrase passphrase
5.    show crypto key mypubkey rsa 
6.    crypto key unlock rsa [name key-name] passphrase passphrase
7.    configure terminal 
8.    crypto key decrypt [write] rsa [namekey-name ] passphrase passphrase

Removing RSA Key Pair Settings

An RSA key pair may need to be removed for one of the following reasons:

• During manual PKI operations and maintenance, old RSA keys can be removed and replaced with new keys.
• An existing CA is replaced and the new CA requires newly generated keys; for example, the required key size might have changed in an organization so you would have to delete the old 1024-bit keys and generate new 2048-bit keys.
• T he peer router's public keys can be deleted in order to help debug signature verification problems in IKEv1 and IKEv2. Keys are cached by default with the lifetime of the certificate revocation list (CRL) associated with the trustpoint.

Perform this task to remove all RSA keys or the specified RSA key pair that has been generated by your router.

SUMMARY STEPS

1.    enable 
2.    configure terminal 
3.    crypto key zeroize rsa [key-pair-label]
4.    crypto key zeroize pubkey-chain [index]
5.    exit 
6.    show crypto key mypubkey rsa