IOS CA rollover rsa key size - 2048bit??

Unanswered Question
Jul 21st, 2010
User Badges:


I'm testing Cisco IOS CA on 12.4 code with a CA and Sub-CAs. When I created my CA, I specified a 2048bit rsa key that I had generated earlier in the associated trustpoint and when I enabled the pki server, it used the key specified.  I want the CA and Sub-CAs to be able to use the rollover function. However, in testing, if I force rollover, the newly created rsa keypair generated is only 1024bit. Is there a way to force the CA or Sub-CAs to generate a new 2048bit rsa keypair on rollover? If not, is there a way to force rollover to use the same key pair as specified in the associated trustpoint before?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michael.leblanc Tue, 07/27/2010 - 13:11
User Badges:
  • Silver, 250 points or more


Deploying Cisco IOS Security with a Public-Key Infrastructure, page 13, paragraph 2.

"Auto-enroll can also regenerate the keypair associated with re-enrollment of the cert. If the specified key does not exist, or if the optional parameter regenerate is given to the auto-enroll command, a new keypair will be generated. The rsakeypair subcommand will specify the name and size(s)."

Looks to me that generation of a new keypair is optional with auto-enrollment (based on whether you use the optional parameter "regenerate", or not).

E.g.:     auto-enroll vs. auto-enroll regenerate

If you use the optional parameter "regenerate", I believe you can specify the keypair name and size.


          crypto pki trustpoint ca.domain.null
          rsakeypair hostname.domain.null 2048
          auto-enroll regenerate

Note: This is my opinion, based on the text in the document. I have not proven this to be factual.

Hope that is of some help. I have attached the document to this post.

Best Regards,

michael.leblanc Thu, 07/29/2010 - 10:25
User Badges:
  • Silver, 250 points or more


More info.

See the attached command reference for "auto-enroll". Of particular interest, is the example on the second page.

Best Regards,


rcullum Fri, 08/06/2010 - 03:37
User Badges:

Hi Mike

Its not the auto-enroll I have an issue with. Its the auto-rollover function that creates a new CA or Sub-CA certificate and keypair. The first time you create a cert manually, you can specify a named 2048bit keypair that you would like to use. However, the auto-rollover function appears to only use an auto-generated 1024bit keypair. I'm trying to determine if you can specify a 2048bit or named 2048bit keypair to use in conjunction with the auto-rollover command.

jonathanaxford Tue, 12/31/2013 - 04:53
User Badges:
  • Bronze, 100 points or more

Hi All,

Did anyone get to the bottom of this? Long shot given how old the thread is but I am seeing the exact same issue when trying to setup Auto Rollover.

The intial Root CA creation is fine with a key size of 4096, but as soon as it initiates the rollover process, it always regenerates a 1024 bit key...



aokmio123 Thu, 06/22/2017 - 01:42
User Badges:

### UPDATE ####

After the reboot, even with the workaround, rollover will generate with 1024 bit. So, only thing that works for sure is generates rsa key before roll over starts.


Ok, I did some digging, and I think I found the workaround for this problem. I did not see any document mentioning it, other than this thread, so I decided to write it for the others.

Stop the server. Then add following config in the truspoint for the ca server.

rsakeypair <use server name> <360-4096>

This trustpoint is usually automatically created when server is initially started.

Don't forget to use server name for the key, otherwise it doesn't seem to work.

Also, try this for couple times because for some strange reasons it doesn't catch the configuration change.

If you can, I really recommend to start all over with making trustpoint first before starting the server and specify the key length. That way, you don't have to generate rsa key to use different key length other than 1024, And it will keep using specified key length.

There is also a another trick that I found, however this trick is one time only so you have to do every time roll over happens. The trick is simple, just generate the key with following command.

crypto key generate rsa modulus <360-4096> label <CA's keyname># exportable

label you're key with "#" at the end. If you happens to have rollover CA in you're router,

type show crypto key mypubkey rsa and you'll know what I'm saying. It seems when rollover kick's in, it generates the same exact key name with #, yes it will skip generates when the key exists, and when the time is right, they override the original key.

If the first workaround did not work for you, you should try the last one even though it's not permanent solution.


This Discussion