I'm testing Cisco IOS CA on 12.4 code with a CA and Sub-CAs. When I created my CA, I specified a 2048bit rsa key that I had generated earlier in the associated trustpoint and when I enabled the pki server, it used the key specified. I want the CA and Sub-CAs to be able to use the rollover function. However, in testing, if I force rollover, the newly created rsa keypair generated is only 1024bit. Is there a way to force the CA or Sub-CAs to generate a new 2048bit rsa keypair on rollover? If not, is there a way to force rollover to use the same key pair as specified in the associated trustpoint before?
Deploying Cisco IOS Security with a Public-Key Infrastructure, page 13, paragraph 2.
"Auto-enroll can also regenerate the keypair associated with re-enrollment of the cert. If the specified key does not exist, or if the optional parameter regenerate is given to the auto-enroll command, a new keypair will be generated. The rsakeypair subcommand will specify the name and size(s)."
Looks to me that generation of a new keypair is optional with auto-enrollment (based on whether you use the optional parameter "regenerate", or not).
E.g.: auto-enroll vs. auto-enroll regenerate
If you use the optional parameter "regenerate", I believe you can specify the keypair name and size.
Its not the auto-enroll I have an issue with. Its the auto-rollover function that creates a new CA or Sub-CA certificate and keypair. The first time you create a cert manually, you can specify a named 2048bit keypair that you would like to use. However, the auto-rollover function appears to only use an auto-generated 1024bit keypair. I'm trying to determine if you can specify a 2048bit or named 2048bit keypair to use in conjunction with the auto-rollover command.
After the reboot, even with the workaround, rollover will generate with 1024 bit. So, only thing that works for sure is generates rsa key before roll over starts.
Ok, I did some digging, and I think I found the workaround for this problem. I did not see any document mentioning it, other than this thread, so I decided to write it for the others.
Stop the server. Then add following config in the truspoint for the ca server.
rsakeypair <use server name> <360-4096>
This trustpoint is usually automatically created when server is initially started.
Don't forget to use server name for the key, otherwise it doesn't seem to work.
Also, try this for couple times because for some strange reasons it doesn't catch the configuration change.
If you can, I really recommend to start all over with making trustpoint first before starting the server and specify the key length. That way, you don't have to generate rsa key to use different key length other than 1024, And it will keep using specified key length.
There is also a another trick that I found, however this trick is one time only so you have to do every time roll over happens. The trick is simple, just generate the key with following command.
label you're key with "#" at the end. If you happens to have rollover CA in you're router,
type show crypto key mypubkey rsa and you'll know what I'm saying. It seems when rollover kick's in, it generates the same exact key name with #, yes it will skip generates when the key exists, and when the time is right, they override the original key.
If the first workaround did not work for you, you should try the last one even though it's not permanent solution.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...