you must manually create an RSA key with a label and a mod greater then 1024, and you must specify this in the trustpoint. This has to be done before you request a cert from the CA
crypto key generate rsa label mykey modulus 1024 crypto ca trustpoint IOS_CA rsakeypair mykey Simon Baumann wrote: > > Hi, > I've entrolled R5 to R2 to obtain an certificate for an L2L VPN setup: > > R5(config)# > Jan 19 18:38:01.291: %PKI-6-CERTRENEWAUTO: Renewing the router > certificate for trustpoint IOS_CA_R2 > R5(config)#% > % Start certificate enrollment .. > > % The subject name in the certificate will include: > cn=R5.ipexpert.com, ou=CCIE, c=PL > % The subject name in the certificate will include: R5.ipexpert.com > <http://R5.ipexpert.com> > % Certificate request sent to Certificate Authority > % The 'show crypto pki certificate verbose IOS_CA_R2' commandwill show > the fingerprint. > > Jan 19 18:38:16.212: %PKI-6-CERTRENEWAUTO: Renewing the router > certificate for trustpoint IOS_CA_R2 > R5(config)# > Jan 19 18:38:17.324: %CRYPTO-6-AUTOGEN: *Generated new 512 bit key pair* > R5(config)# > Jan 19 18:38:17.544: CRYPTO_PKI: Certificate Request Fingerprint MD5: > 56C3F241 107599D5 01540AF4 6C176D94 > Jan 19 18:38:17.544: CRYPTO_PKI: Certificate Request Fingerprint > SHA1: 44C0E625 6F1B68D8 96FE37A7 7EF2B4D3 C62EF26C > R5(config)# > > I wonder what's the easiest way to improve the key strenth above 512 > bit. TIA. > > Cheers > Simon > > ------------------------------------------------------------------------ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
