Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Can not access private key

Does anyone know how to recover a private key on a router that was not lost in the first place, I think? I did a password recovery on a router that uses certs for authentication. Once I copied the config back, it continues to say "cannot access private key" when attempting tunnel establishment. I have rebooted the router twice. I can see my cert from the output of "sh cry pki cert" as well as my CA cert. When I copied the config back and forth during password recovery, this must have made the private key inaccessible. Any ideas will be greatly appreciated.




Re: Can not access private key

When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM.

If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entry.

If you change the private DES key and reload an old version of the router's configuration that contains SRVTAB entries encrypted with the old private DES keys, the router will restore your Kerberos SRVTAB entries, but the SRVTAB keys will be corrupted. In this case, you must delete your old Kerberos SRVTAB entries and reload your Kerberos SRVTABs on to the router using the kerberos srvtab remote command.

Although you can configure kerberos srvtab entry on the router manually, generally you would not do this because the keytab is encrypted automatically by the router when you copy the SRVTAB using the kerberos srvtab remote command.

CreatePlease to create content