Cisco MDS 9000 Series Configuration Manual page 140

Generating an RSA Key-Pair
Generating an RSA Key-Pair
RSA key-pairs are used to sign and/or encrypt and decrypt the security payload during security protocol
exchanges for applications such as IKE/IPsec and SSH, and they are required before you can obtain a certificate
for your switch.
To generate an RSA key-pair, follow these steps:
Procedure
Step 1 switch# configure terminal
switch(config)#
Enters configuration mode.
Step 2
switch(config)# crypto key generate rsa
Generates an RSA key-pair with the switch FQDN as the default label and 512 as the default modulus. By
default, the key is not exportable.
Note
Note
Step 3 switch(config)# crypto key generate rsa label SwitchA modulus 768
Generates an RSA key-pair with the label SwitchA and modulus 768. Valid modulus values are 512, 768,
1024, 1536, and 2048. By default, the key is not exportable.
Step 4
switch(config)# crypto key generate rsa exportable
Generates an RSA key-pair with the switch FQDN as the default label and 512 as the default modulus. The
key is exportable.
Caution
Note
Creating a Trust Point CA Association
To create a trust point CA association, follow these steps:
Procedure
Step 1
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)#
Declares a trust point CA that the switch should trust and enters trust point configuration submode.
Note
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
122
The security policy (or requirement) at the local site (MDS switch) and at the CA (where enrollment
is planned) are considered in deciding the appropriate key modulus.
The maximum number of key-pairs you can configure on a switch is 16.
The exportability of a key-pair cannot be changed after key-pair generation.
Only exportable key-pairs can be exported in PKCS#12 format.
The maximum number of trust points you can declare on a switch is 16.
Configuring Certificate Authorities and Digital Certificates