I will be honest I only half read this email. I was thinking of certificates. You can store the RSA keys either on a secure USB Token or in the NVRAM. Making sure to mark the keys as exportable will allow you to export them to flash or an external server. But the initial creation should be in the private-config or usbtoken.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Tuesday, September 21, 2010 10:09 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] RSA key storage location on IOS router Hi Tyson How do make flash as the storage location? I see examples in Cisco sites specifying flash as the storage location for the RSA keys. Why is it failing for me? Am I missing something. With regards Kings On Tue, Sep 21, 2010 at 6:54 PM, Tyson Scott <[email protected]> wrote: It all depends on device security both remote access and physical security. NVRAM is not a smart place to store a lot of stuff. And if you only store it in the NVRAM you have the risk of failed devices. I personally don't think it is a wise practice to follow, but that is my opinion. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, September 21, 2010 8:30 AM To: [email protected] Subject: Re: [OSL | CCIE_Security] RSA key storage location on IOS router If I configure a trustpoint with enrollment as "self" and enroll it, the generated rsa keys shows storage location as "Storage Device: not specified" crypto pki trustpoint self enrollment selfsigned revocation-check crl on flash: With regards Kings On Tue, Sep 21, 2010 at 5:29 PM, Kingsley Charles <[email protected]> wrote: Hi all When we create RSA keys without storage location, the location is nothing. After I issue a "wr mem" the keys are stored in the private-config file that is present in the nvram. The pro router3#sh crypto key mypubkey rsa % Key pair was generated at: 11:40:19 UTC Sep 21 2010 Key name: TP-self-signed-1104275031 Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AD890E C102E654 76405AE5 D14372C8 227B9FEB 3E79A8D6 BB999B47 4B13041B AB07308C CD7E1CF1 4F16FBD7 D8EC605D 0890336C E64F7596 11B77A5D 98BA77E1 B52745A9 53C61A64 05C46D16 A5BE68CD 2F61D639 9692EA69 CB112C00 22FEB988 CD67C073 B25AB5DF F6895460 CDAE424E FC0898CD 0E07E12C CA16FBF0 AC086606 65020301 0001 % Key pair was generated at: 11:40:21 UTC Sep 21 2010 Key name: TP-self-signed-1104275031.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00CBE2FD 5440F579 073C3B9B 1A5DE0A4 0742B3C1 12451E15 E5592B0B FD7A8E97 F896A325 7CE09285 3A8F6BAE 3377B387 80C21573 A1417E8A 45B9C3E7 8767791C 0C261246 0CB465C3 2076A5B4 3BC1568F 53284B8B 7618EB64 AAA58072 AC590867 BF020301 0001 router3#wr mem Building configuration... [OK] router3#sh crypto key mypubkey rsa % Key pair was generated at: 11:40:19 UTC Sep 21 2010 Key name: TP-self-signed-1104275031 Storage Device: private-config Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AD890E C102E654 76405AE5 D14372C8 227B9FEB 3E79A8D6 BB999B47 4B13041B AB07308C CD7E1CF1 4F16FBD7 D8EC605D 0890336C E64F7596 11B77A5D 98BA77E1 B52745A9 53C61A64 05C46D16 A5BE68CD 2F61D639 9692EA69 CB112C00 22FEB988 CD67C073 B25AB5DF F6895460 CDAE424E FC0898CD 0E07E12C CA16FBF0 AC086606 65020301 0001 % Key pair was generated at: 11:40:21 UTC Sep 21 2010 Key name: TP-self-signed-1104275031.server Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00CBE2FD 5440F579 073C3B9B 1A5DE0A4 0742B3C1 12451E15 E5592B0B FD7A8E97 F896A325 7CE09285 3A8F6BAE 3377B387 80C21573 A1417E8A 45B9C3E7 8767791C 0C261246 0CB465C3 2076A5B4 3BC1568F 53284B8B 7618EB64 AAA58072 AC590867 BF020301 0001 I am trying to save the keys to flash but it fails. router3(config)#crypto key generate rsa storage flash: The name for the keys will be: router3.router3.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Device flash is not a valid storage location for for cryptographic keypairs crypto_lib_keypair_get failed to get router3.router3.com crypto_lib_keypair_get failed to get router3.router3.com It seems flash is not secure location for saving the private keys as it can accessed by anyone. The "private-config" can't be accessed by the user, please have a loog below: router3#more nvram:private-config %Error opening nvram:private-config (Permission denied) May USB token is a valid device to store the RSA keys. Please let me know your thoughts? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
