% Rsa keys can't be generated by the startup configuration

Unanswered Question
Jan 29th, 2008
User Badges:

Question I:


We are seeing the following error when we tftp the config to startup-config of the router and then reboot the router.

% Rsa keys can't be generated by the startup configuration

If we tftp the config without the following commands and then put it in manually after the tftp load it works fine :

crypto key gen rsa gen mod 1024

I did the following on a Cisco 3745 router running 12.4 in the lab :

1. Copied the config from router to tftp server.

2. Added the following two command to the saved config on the tftp server:

ip domain-name test

crypto key gen rsa gen mod 1024

3. Tftp'ed the new config to the router's startup-config.

4. Reloaded the router and got the error message:

% Rsa keys can't be generated by the startup configuration

Question II:


The command crypto key gen rsa gen mod 1024 - where does this command generate and write the key to - to NVRAM or to Flash. So may be it has to be just done once and may be that is what I am doing wrong by putting the commadnd in the startup config and may be that is why I am seeing the error message.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
glen.grant Tue, 01/29/2008 - 20:12
User Badges:
  • Purple, 4500 points or more

I have seen problems trying this also so maybe it just has to be done manually . Once you create the file it does not change again . It is kept over reloads so it would not have to change. The key is permanent in nvram unless you zeroize it . Believe it is kept in the private-config file in nvram . to verify this just remove that crypto key gen statement and reload the box , the key will still be there if you have already created it . Verify with the "show crypto key my rsa " command.

Richard Burts Tue, 01/29/2008 - 20:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


The command to generate the keys operates through the parser when you are on line with the router - and apparently not if you attempt it from the startup config.

To me attempting to TFTP the command to startup is not worth the effort that it takes. I always put the initial config into the router, manually generate the key, and forget about the key. I agree with Glen that once you generate the key it is relatively permanent. As Glen points out if you zeroize the key it will need to be regenerated. Or if you change the hostname of the router or the domain name of the router it will invalidate the key and you will need to regenerate it.




This Discussion