I'm testing Cisco IOS CA on 12.4 code with a CA and Sub-CAs. When I created my CA, I specified a 2048bit rsa key that I had generated earlier in the associated trustpoint and when I enabled the pki server, it used the key specified. I want the CA and Sub-CAs to be able to use the rollover function. However, in testing, if I force rollover, the newly created rsa keypair generated is only 1024bit. Is there a way to force the CA or Sub-CAs to generate a new 2048bit rsa keypair on rollover? If not, is there a way to force rollover to use the same key pair as specified in the associated trustpoint before?