Does RSA Encryption Key Change when you change Hostname?

Unanswered Question
Jun 4th, 2008
User Badges:


I am replacing a 2621 running RSA encryption with a 2811. I am changing the hostname of the router, which, I am told, will cause me to need to generate a new RSA encryption key on the 2811. I want to confirm whether it is the hostname, the domain name or both that affects the RSA encryption key. Thus, if I change ONLY the hostname will I need to generate a new encryption key.

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)

You'll need to generate new RSA key anyway, because startup-config doesn't store the key.

The only way to move the keypair from one router to another is to generate it as exportable:

crypto key generate rsa general-keys [label key-label] [modulus modulus-size] exportable

Then you can export both private and public keys:

crypto key export rsa key-label pem url {des | 3des} passphrase

This command should create two files (.prv and .pub) in .

Import keypair on another router:

crypto key import rsa pem [exportable] url {des | 3des} passphrase

And you don't need the same hostname on another router.

michael.leblanc Wed, 06/04/2008 - 06:50
User Badges:
  • Silver, 250 points or more

Yes, changing the hostname will require you to generate new RSA keys.

I believe changing the domain name alone would also require generation of new RSA keys.

The SSH procedure stipulates that both of these parameters require configuration prior to key generation, and this is a clue that a change to either would render the pre-existing keys useless.

This is not correct. I just tested it (changed the hostname) and SecurCRT didn't even warn me that something is wrong with the key. Also, if you name the keypair explicitly with the "label" option, the name of the keypair will not be the same as the router's hostname anyway.

Richard Burts Wed, 06/04/2008 - 07:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I am curious what is different in your experience than my experience. I have had the experience multiple times that if I change the hostname of a router that it invalidates the RSA key and I need to regenerate it before SSH will work to that router.

At the risk of asking the obvious question, was your SecurCRT session set for SSH or for telnet?



:) yes it was SSH:

Initially the router was configured with "ip ssh version 1". I changed the hostname and got no warnings. Then I changed the config to "ip ssh version 2", reconnect and saw the SecureCRT warning (bla-bla) (probably because the version changed). Then changed the hostname again -- no warning!

sh ver

(C3725-ADVIPSERVICESK9-M), Version 12.4(15)T3

What I discovered right now is that this IOS version changes the keypair name when the hostname changes:

STEND-3725#sh cry key m r

% Key pair was generated at: 18:34:07 MSD Jun 15 2007


Key name:

STEND-3725#conf t

Enter configuration commands, one per line. End with CNTL/Z.

STEND-3725(config)#hostname QQQ

QQQ#sh cry key m r

% Key pair was generated at: 18:54:40 MSD Jun 4 2008

Key name:

The key was not regenerated. Just the name was changed.

Richard Burts Wed, 06/04/2008 - 07:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


If the key was not regenerated why does the show crypto key indicate that the key generation date is June 4 2008 instead of June 15 2007 as shown in the first show command?



I noticed this too, but:

1) the "body" of the (public) key is the same

2) changing the hostname again doesn't change the date (believe me :)

STEND-3725(config)#hostname dgdgldfkjglfdkjg


dgdgldfkjglfdkjg#sh cry k m r

% Key pair was generated at: 18:54:40 MSD Jun 4 2008

Key name:

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A653C6 A9AA43BC

174CB367 5548CFD5 ADE85676 144A4EBC 7F8B99DF 061D875F 8767ABD0 2C5765D0

0303EEAE A502917E 36473206 DF702118 2AD55F2E A1806958 32F1DE81 E04BDE69

0A6769CA 971BB760 B129D7C3 D09018BA 8BA430F8 01386226 11020301 0001

michael.leblanc Wed, 06/04/2008 - 07:10
User Badges:
  • Silver, 250 points or more

Although I appreciate bringing the "label" option to my attention, I'm not sure your SecurCRT test verifies "all" circumstances.

e.g.: I changed the hostname on an IPSec VPN endpoint that was configured to use "authentication rsa-encr" (ISAKMP policy). The endpoints were also configured with the "crypto isakmp identity hostname" command.

The devices failed to establish an ISAKMP SA after the hostname was change.

I agree.

It seems that there are two cases:

1. key-label wasn't specified. In this case the keypair is tied to the "current" hostname (if the hostname changes the keypairname changes too).

2. key-label is specified. In this case the keypairname is fixed.

Not sure what does IOS SSH server send to the client: hostname, keypairname or nothing. Anyway I don't see any warnings on the client side.


This Discussion