How to force IOS PKI Server to use 2048 and not 1024

I am using my AAP to work on Cristian Matei’s “CCIE Security V4 Lab Preparation”.

On Chapter “IKEv1 with PKI” at 31:52.

 

I am doing it a little different, so please bear with me; I am enrollment slef signed for root and terminal for idenitty.

 

I want to use 2048 and not 1024 for RSA keys.

 

However, every time I build my “crypto pki server R7” it always builds 1024

“% Generating 1024 bit RSA keys, keys will be non-exportable with redundancy…”

 

In the “crypto pki trustpoint R7” I reference a set of keys I made “rsakeypair R7” with 2048

“crypto key generate rsa general-keys label R7 modulus 2048 exportable”

 

But no luck, the server drops down to 1024.

 

On the other routers, I need to make the keys 1024 and not 2048 for the CA’s trustpoint, which makes sense

 

If I make the keys 2048, I get this error “% You must authenticate the Certificate Authority before you can import the router's certificate.”

 

But when I make a set of keys with 1024, and reference these keys in the trust point, it all works fine.

 

Anybody now how or if I can get my PKI test lab up to 2048?

Looks like the “long pole in the tent is my method of building the PKI server.

 

crypto pki trustpoint R7

 enrollment selfsigned

 serial-number none

 fqdn none

 ip-address none

 subject-name CN=R7, ou=Matt, o=Butcher, l=Baltimore, st=MD, c=US, [email protected]

 revocation-check none

 rsakeypair R7

 

 hash sha1

Comments

  • Matt

    Can you verify that the router in questions is using a K9 image and NOT a K8 image?

    You need K9 image to support 3DES and AES to support keys above 1024 key lengths. 

    Cheers, 

    Christopher M. Heffner, CCIE 8211, CCSI 98760, CICSS

    Sent from my iPhone6+
    Please excuse typos


    On Sep 7, 2015, at 10:21 PM, [email protected] <[email protected]> wrote:

    I am using my AAP to work on Cristian Matei’s “CCIE Security V4 Lab Preparation”.

    On Chapter “IKEv1 with PKI” at 31:52.

     

    I am doing it a little different, so please bear with me; I am enrollment slef signed for root and terminal for idenitty.

     

    I want to use 2048 and not 1024 for RSA keys.

     

    However, every time I build my “crypto pki server R7” it always builds 1024

    “% Generating 1024 bit RSA keys, keys will be non-exportable with redundancy…”

     

    In the “crypto pki trustpoint R7” I reference a set of keys I made “rsakeypair R7” with 2048

    “crypto key generate rsa general-keys label R7 modulus 2048 exportable”

     

    But no luck, the server drops down to 1024.

     

    On the other routers, I need to make the keys 1024 and not 2048 for the CA’s trustpoint, which makes sense

     

    If I make the keys 2048, I get this error “% You must authenticate the Certificate Authority before you can import the router's certificate.”

     

    But when I make a set of keys with 1024, and reference these keys in the trust point, it all works fine.

     

    Anybody now how or if I can get my PKI test lab up to 2048?

    Looks like the “long pole in the tent is my method of building the PKI server.

     

    crypto pki trustpoint R7

     enrollment selfsigned

     serial-number none

     fqdn none

     ip-address none

     subject-name CN=R7, ou=Matt, o=Butcher, l=Baltimore, st=MD, c=US, [email protected]

     revocation-check none

     rsakeypair R7

     

     hash sha1




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hello Christopher,

    Thanks so much for taking the time to look at my issue.

     

    I doubled checked and yes, I am using a “K9” image.

     

    Below is the file I used for the install along with the output from the CSR:

     

    csr1000v-universalk9.03.14.01.S.155-1.S1-std.ova

     

    R7#sh ver | i Software(.*)K9

     

    Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(1)S1, RELEASE SOFTWARE (fc1)

  • It's either an order of operation issues, either CSR PKI does not support that size, either a bug. To ensure there is no order of configuration problem, do it like this:

    1. Generate the RSA key-pair, give it a name/label

    2. Enable HTTP server and configur the PKI server, but do NOT enable the PKI server (just crypto pki server TEST)

    3. Attach the RSA keypair to the trustpoint (crypto pki trustpoint TEST , rsa keypair RSA_NAME)

    4. Enable the PKI server (no shutdown).

Sign In or Register to comment.