Multiple Context Mode with RSA Key Pairs

When in multi mode if you do the following:

 

Rack2ASA2/ContextA(config)# cry key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes
Rack2ASA2/ContextA(config)#

 

does it delete the RSA keys for ContextB as well?  Are the keys device specific or context specific?  I'm trying to enable ssh on each context and want to know if I need to have keys generated in each context.

 

Thanks

 

Brandon

Comments

  • It looks like they are NOT the same key. See what I bolded and underlined below...

     

    Rack2ASA2/ContextA(config)# sh cry key mypubkey rsa
    Key pair was generated at: 17:33:50 UTC Jul 19 2008
    Key name: <Default-RSA-Key>
     Usage: General Purpose Key
     Modulus Size (bits): 1024
     Key Data:

      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00bdd7d5
      3d491b6a b15df4d2 da2e9f33 735ea192 590ffd41 dff3378b f6c6989b 9cea4f25
      2535fa14 f8dae381 82c61d64 20d280ff 0ba84035 7135937b 0e2d8f7a e87c2469
      b80fa755 0684ed6c 894443ee 7bdc3d97 6de5cddc 44eed30b df7a9b01 2de99d60
      a38248ef 5bf1d18f 35c28501 af1f0454 780de6b2 261455e4 a361d6bc e7020301 0001
    Rack2ASA2/ContextA(config)# changeto con ContextB
    Rack2ASA2/ContextB(config)# sh cry key mypubkey rsa
    Key pair was generated at: 17:25:36 UTC Jul 19 2008
    Key name: <Default-RSA-Key>
     Usage: General Purpose Key
     Modulus Size (bits): 1024
     Key Data:

      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b8282a
      9136ef03 f0a95721 b203aab9 c5ee487d 2e3a3a0e 4d99c38b e036b70a fd117fc2
      0edfe823 b9c0c396 b87fe4bf 8d519efa 2654427e c67823b4 904d7913 51f12cd8
      cdfe908e 81bbc38b d23cca0b fb02b175 3c5f8cce 84d7b42a 45bd8106 9318ad96
      0e2bde21 1f9315c7 bf61233f 52a35169 45ebc08e e0e8cf9c 8a106671 5f020301 0001
    Rack2ASA2/ContextB(config)#

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    They shouldn't be the same key because the logic is that ContextA and
    ContextB are two different customers who are managing their own
    contexts.  If CustomerA goes into ContextA and deletes the rsa keys for
    CustomerB I'm sure there would be a bug fix along the way immediately ;)



    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.internetworkexpert.com






    brandoncarroll wrote:

    It looks like they are NOT the same key. See what I bolded and
    underlined below...

     

    Rack2ASA2/ContextA(config)# sh cry key
    mypubkey rsa

    Key pair was generated at: 17:33:50 UTC Jul 19 2008

    Key name: <Default-RSA-Key>

     Usage: General Purpose Key

     Modulus Size (bits): 1024

     Key Data:



      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
    00bdd7d5

      3d491b6a b15df4d2 da2e9f33 735ea192 590ffd41 dff3378b f6c6989b
    9cea4f25

      2535fa14 f8dae381 82c61d64 20d280ff 0ba84035 7135937b 0e2d8f7a
    e87c2469

      b80fa755 0684ed6c 894443ee 7bdc3d97 6de5cddc 44eed30b df7a9b01
    2de99d60

      a38248ef 5bf1d18f 35c28501 af1f0454 780de6b2 261455e4 a361d6bc e7020301 0001

    Rack2ASA2/ContextA(config)# changeto con ContextB

    Rack2ASA2/ContextB(config)# sh cry key mypubkey rsa

    Key pair was generated at: 17:25:36 UTC Jul 19 2008

    Key name: <Default-RSA-Key>

     Usage: General Purpose Key

     Modulus Size (bits): 1024

     Key Data:



      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
    00b8282a

      9136ef03 f0a95721 b203aab9 c5ee487d 2e3a3a0e 4d99c38b e036b70a
    fd117fc2

      0edfe823 b9c0c396 b87fe4bf 8d519efa 2654427e c67823b4 904d7913
    51f12cd8

      cdfe908e 81bbc38b d23cca0b fb02b175 3c5f8cce 84d7b42a 45bd8106
    9318ad96

      0e2bde21 1f9315c7 bf61233f 52a35169 45ebc08e e0e8cf9c 8a106671 5f020301 0001

    Rack2ASA2/ContextB(config)#







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Thanks Brian!


    On Jul 19, 2008, at 10:02 AM, Brian McGahan wrote:
    They shouldn't be the same key because the logic is that ContextA and ContextB are two different customers who are managing their own contexts.  If CustomerA goes into ContextA and deletes the rsa keys for CustomerB I'm sure there would be a bug fix along the way immediately ;)

    Brian McGahan, CCIE #8593 (R&S/SP/Security)
    [email protected]
     
    Internetwork Expert, Inc.
    http://www.InternetworkExpert.com
    Toll Free: 877-224-8987 x 705
    Outside US: 775-826-4344 x 705
    Online Community: http://www.IEOC.com
    CCIE Blog: http://blog.internetworkexpert.com


    brandoncarroll wrote:

    It looks like they are NOT the same key. See what I bolded and underlined below...

     

    Rack2ASA2/ContextA(config)# sh cry key mypubkey rsa
    Key pair was generated at: 17:33:50 UTC Jul 19 2008
    Key name: <Default-RSA-Key>
     Usage: General Purpose Key
     Modulus Size (bits): 1024
     Key Data:

      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00bdd7d5 
      3d491b6a b15df4d2 da2e9f33 735ea192 590ffd41 dff3378b f6c6989b 9cea4f25 
      2535fa14 f8dae381 82c61d64 20d280ff 0ba84035 7135937b 0e2d8f7a e87c2469 
      b80fa755 0684ed6c 894443ee 7bdc3d97 6de5cddc 44eed30b df7a9b01 2de99d60 
      a38248ef 5bf1d18f 35c28501 af1f0454 780de6b2 261455e4 a361d6bc e7020301 0001
    Rack2ASA2/ContextA(config)# changeto con ContextB
    Rack2ASA2/ContextB(config)# sh cry key mypubkey rsa
    Key pair was generated at: 17:25:36 UTC Jul 19 2008
    Key name: <Default-RSA-Key>
     Usage: General Purpose Key
     Modulus Size (bits): 1024
     Key Data:

      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b8282a 
      9136ef03 f0a95721 b203aab9 c5ee487d 2e3a3a0e 4d99c38b e036b70a fd117fc2 
      0edfe823 b9c0c396 b87fe4bf 8d519efa 2654427e c67823b4 904d7913 51f12cd8 
      cdfe908e 81bbc38b d23cca0b fb02b175 3c5f8cce 84d7b42a 45bd8106 9318ad96 
      0e2bde21 1f9315c7 bf61233f 52a35169 45ebc08e e0e8cf9c 8a106671 5f020301 0001
    Rack2ASA2/ContextB(config)# 


    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx



    Internetwork Expert - The Industry Leader in CCIE Preparation
    http://www.internetworkexpert.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

Sign In or Register to comment.