IOS CA rollover rsa key size - 2048bit??

Unanswered Question
Jul 21st, 2010
User Badges:


I'm testing Cisco IOS CA on 12.4 code with a CA and Sub-CAs. When I created my CA, I specified a 2048bit rsa key that I had generated earlier in the associated trustpoint and when I enabled the pki server, it used the key specified.  I want the CA and Sub-CAs to be able to use the rollover function. However, in testing, if I force rollover, the newly created rsa keypair generated is only 1024bit. Is there a way to force the CA or Sub-CAs to generate a new 2048bit rsa keypair on rollover? If not, is there a way to force rollover to use the same key pair as specified in the associated trustpoint before?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michael.leblanc Tue, 07/27/2010 - 13:11
User Badges:
  • Silver, 250 points or more


Deploying Cisco IOS Security with a Public-Key Infrastructure, page 13, paragraph 2.

"Auto-enroll can also regenerate the keypair associated with re-enrollment of the cert. If the specified key does not exist, or if the optional parameter regenerate is given to the auto-enroll command, a new keypair will be generated. The rsakeypair subcommand will specify the name and size(s)."

Looks to me that generation of a new keypair is optional with auto-enrollment (based on whether you use the optional parameter "regenerate", or not).

E.g.:     auto-enroll vs. auto-enroll regenerate

If you use the optional parameter "regenerate", I believe you can specify the keypair name and size.


          crypto pki trustpoint ca.domain.null
          rsakeypair hostname.domain.null 2048
          auto-enroll regenerate

Note: This is my opinion, based on the text in the document. I have not proven this to be factual.

Hope that is of some help. I have attached the document to this post.

Best Regards,

michael.leblanc Thu, 07/29/2010 - 10:25
User Badges:
  • Silver, 250 points or more


More info.

See the attached command reference for "auto-enroll". Of particular interest, is the example on the second page.

Best Regards,


rcullum Fri, 08/06/2010 - 03:37
User Badges:

Hi Mike

Its not the auto-enroll I have an issue with. Its the auto-rollover function that creates a new CA or Sub-CA certificate and keypair. The first time you create a cert manually, you can specify a named 2048bit keypair that you would like to use. However, the auto-rollover function appears to only use an auto-generated 1024bit keypair. I'm trying to determine if you can specify a 2048bit or named 2048bit keypair to use in conjunction with the auto-rollover command.

jonathanaxford Tue, 12/31/2013 - 04:53
User Badges:
  • Bronze, 100 points or more

Hi All,

Did anyone get to the bottom of this? Long shot given how old the thread is but I am seeing the exact same issue when trying to setup Auto Rollover.

The intial Root CA creation is fine with a key size of 4096, but as soon as it initiates the rollover process, it always regenerates a 1024 bit key...




This Discussion