I am doing certificate authentication for site to site VPNs. I am using MSCEP to obtain the certs from my MS Windows CA. The (remote) router requesting the certs is an 891 running IOS 12.4(22)YB.
The following config/commands are used to get the cert:
crypto pki trustpoint MY-CA
enrollment mode ra
enrollment url http://10.0.0.5:80/certsrv/mscep/mscep.dll
crypto pki certificate storage flash:/CERTS/
crypto ca authenticate MY-CA
crypto ca enroll MY-CA
This all works fine but the key that gets generated during the MSCEP request is only 512 bytes which is too small for SSH version 2. Getting a new cert causes the SSH service on the 891 to revert to version 1.5.
Is there some way to specify that the keys that the MSCEP requests auto-generate be 1024 bytes? SSH version 2 requires at least 768 bytes.
I know how to manually generate a larger key for SSH but doing that breaks any existing certs obtained via MSCEP.