Comments inline. With regards Kings
On Fri, Mar 18, 2011 at 7:10 AM, Eugene Pefti <eug...@koiossystems.com>wrote: > Hello folks, > > Whoever is still here I need your fresh pair of eyes to enlighten me on the > keys and certificate situation. > > This is my weakest point and I wanted to get a handle of every nitty-gritty > detail about it. > > > > Let’s say the router doesn’t have any RSA keys and certificates, neither > self-signed or those issued by the external CA. > > I don’t have “ip ssh version 2” or “ip http secure-server” configured > either. > > > > Then step-by-step I want to see how the router behaves if I don’t want to > utilize self-signed certificate at all. > > I generate an RSA key pair labeled R2: > > > > R2#sh crypt key mypubkey rsa > > > > % Key pair was generated at: 17:06:40 PST Mar 17 2010 > > Key name: R2 > > Storage Device: not specified > > Usage: General Purpose Key > > Key is not exportable. > > Key Data: > > 30819F30 ……..<removed for brevity>……. 0001 > > % Key pair was generated at: 17:06:42 PST Mar 17 2010 > > Key name: R2.server > > Temporary key > > Usage: Encryption Key > > Key is not exportable. > > Key Data: > > 307C300D …….<removed for brevity>…..0001 > > > > All right, a pair of general purpose keys was generated. Why would the > router need a temporary key ? Why is the key name appended with the server > name? > <This key is used for ssh> > > > Next step, I enable “ip http secure-server” and try to access the router > via HTTPs from the browser. When I do it I see that the router generates a > new key pair: > > > > %CRYPTO-6-AUTOGEN: Generated new 768 bit key pair > > > > And I see it in the output of “show key mypubkey rsa” > > % Key pair was generated at: 17:10:22 PST Mar 17 2010 > > Key name: HTTPS_SS_CERT_KEYPAIR > > Storage Device: not specified > > Usage: General Purpose Key > > Key is not exportable. > > Key Data: > > 307C300D …. <removed for brevity> …..0001 > > > > I’m able to open the webpage with rudimentary management stuff that the > router generates via HTTPS and see that the browser rightfully complains > about the certificate which is not trusted. It’s OK, I can understand it but > I don’t see this certificate in the router ! The output of “sh crypto pki > certificate” is empty. On the other hand I see that there’s an application > generated trustpoint: > <I think, a new key is being generated for the https> > > > R2#sh crypto pki trustpoint > > Trustpoint HTTPS_SS_CERT_KEYPAIR: > > Subject Name: > > serialNumber=FTX1118W0MT+hostname=R2.cisco.com > > cn=R2.cisco.com > > Serial Number (hex): 02 > > Application generated trust point > > > > My last question is why I don’t see neither the certificate nor the > trustpoint in the running config ? Should I understand that they are stored > in RAM and will be deleted once I reboot the router ? > <That's strange, it should be there in the running configuration> > > > Eugene Pefti > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
