In this post I am going to show you how to configure crypto keypair without configuring host name or domain name on Cisco devices. A few network admins still have some confusion about if configuring the domain name on Cisco devices is a requirement to generate a crypto keypair or not. I believe this confusion comes from the error we get when we try to create a crypto keypair on Cisco devices before we’ve configured the domain name. The error would explicitly ask us to define the domain name first to generate the crypto keypair.
Although we get a similar error if we try to create a crypto keypair before we’ve configured the device host name. However, because setting the device host name is more common than setting the domain name we would notice this error less than the domain name error. Let’s dive together into a different configuration scenarios where you will see how to create a crypto keypair without configuring host name or domain name. At the end of this post, we will also find out if defining the host name and domain name is really important or not.
GENERATE THE CRYPTO KEYPAIR WITH THE HOST NAME AND THE DOMAIN NAME CONFIGURED ON CISCO ROUTER:
Let’s first see the errors we were talking about then we will configure both the host name and the domain name:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#crypto key generate rsa modulus 1024
% Please define a hostname other than Router.
As we can see the router is complaining about the default host name Router and it is clearly asking to set a new host name. Let’s do that:
Router(config)#hostname Router-01
Router-01(config)#
Now let’s try to generate the crypto keypair again and see if this makes any difference:
Router-01(config)#crypto key generate rsa modulus 1024
% Please define a domain-name first.
It does, however, this time we are getting a different error. The error here is related to the domain name that we did not set on the router. Let’s set it up and try again:
Router-01(config)#ip domain-name mylab.local
Router-01(config)#crypto key generate rsa modulus 1024
The name for the keys will be: Router-01.mylab.local
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 2 seconds)
After we configured the domain name the router was able to generate the crypto keypair successfully:
Router-01(config)#do show crypto key mypubkey rsa
% Key pair was generated at: 15:24:55 UTC Sep 15 2019
Key name: Router-01.mylab.local
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00ACD9E7
57AAA38C 0C1EE427 2F6A74B8 0A9DB953 DB88EB3E 29E46E64 C18F585E 2536DA6E
1444A28A C86FC0B6 9AA742B6 DF67FB1D 1A33A60A 9B97ED02 90BAA701 EEB4917A
C228CFEC C93CC48F 197FE5D0 2BC57D08 D240CB0D 82EAEEE1 5CEB7808 99F8C1E4
29CFE8F8 A0746BAF 280C8099 8C699A7D 7D3D24D1 5849C80F AFBC5626 23020301
0001
% Key pair was generated at: 15:24:56 UTC Sep 15 2019
Key name: Router-01.mylab.local.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D815DC A6265AB2
72CA142C 22964C9B DA2BFFCC 57F7CE1A 3F90050C 64842C4B 385342A2 C545B5F1
E899C71C 5ABF8929 F68FA8F0 08E16F18 751F0213 A98B5964 C2860D08 F834C101
DD067C25 15FC2C6C BE9D8F5C A00F8538 19081D18 9AE2C63E 99020301 0001
Now we generated the crypto keypair with both the host name and the domain name configured, let’s have a look at some details of the crypto keypair and investigate them. By looking at the keypair name, we can see that the name composes from both the host name and the domain name we configured. That would be the reason why we were getting those errors when we were trying to generate the keypair before setting the host name or the domain name.
As we could see, the crypto key generate … command requires configuring both a customized host name and a domain name before being able to create the crypto key. Great, now let’s move on to the next scenario.
GENERATE THE CRYPTO KEYPAIR WITHOUT THE HOST NAME AND THE DOMAIN NAME CONFIGURED ON CISCO ROUTER (EXAMPLE 1):
The router we are using in this example is similar to the previous one. It does not have any customized host name or a domain name configured. The only difference is that this time we are going to generate the crypto keypair with a customized name. Let’s see if the router will complain about the host name and the domain name as it did before:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#crypto key generate rsa modulus 1024 label BLUENETSEC
The name for the keys will be: BLUENETSEC
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 2 seconds)
As we can see, the router now has generated the crypto keypair successfully without complaining about anything regarding the host name or the domain name. Let’s check the keypair properties and see if there is any difference with the key name comparing to the previous example:
Router(config)#do show crypto key mypubkey rsa
% Key pair was generated at: 16:26:33 UTC Sep 15 2019
Key name: BLUENETSEC
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00CB51D5
41F5616F 6DBFBFFB E077D455 55CBD87A 76C149C9 A723195B F6111A7D BBD65B85
75711715 30896552 01174783 C0A7A39C A62D564F 49125DCD F2687495 47970E7F
969D8CD6 1EA42C7F 7F68C3B4 92549CA2 3B5E59B4 E353D2FE 8E8C65F3 61CCC62A
A5B3C881 2D965556 9C3ECF33 9269BCF3 AA06FCF8 146AF2D2 DEBD33AF 53020301
0001
% Key pair was generated at: 16:26:33 UTC Sep 15 2019
Key name: BLUENETSEC.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D7FCA3 1BA635D0
58D36770 CE49EE61 D624F9F6 002E0757 4979D478 2BB4D68A 33049D96 CB582D0E
C02C7143 8726AFEA 87CE472F 997612E9 F357BA60 25652DA7 04FCCD5A 94208BAD
CCE019E7 70F946AD AD61E4FD 3BD5BB21 E8E37B5D 55711278 9D020301 0001
Notice that this time the key name is simply the name we gave when we generated the keypair which is BLUENETSEC. As you can see, using a keypair customized name allows us to generate the crypto keypair without the host name or the domain name configured on the router.
Great. Do you think is there any other way that we can use to generate the crypto keypair without configuring the host name or the domain name?! The answer is yes. Let’s do it.
GENERATE THE CRYPTO KEYPAIR WITHOUT THE HOST NAME AND THE DOMAIN NAME CONFIGURED ON CISCO ROUTER (EXAMPLE 2):
We will first create a trustpoint and set the enrollment to be self-signed:
Router(config)#crypto pki trustpoint BLUENETSEC-TP
Router(ca-trustpoint)#enrollment selfsigned
Now let’s enroll the certificate for this trustpoint:
Router(config)#crypto pki enroll BLUENETSEC-TP
% Include the router serial number in the subject name? [yes/no]: no
*Sep 15 16:48:02.159: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
% Include an IP address in the subject name? [no]:
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
Notice in the above output there is a Syslog message stating that a keypair has been generated. Let’s check the certificate and that keypair:
Router(config)#do show crypto pki certificate
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
hostname=Router
Subject:
Name: Router
hostname=Router
Validity Date:
start date: 16:48:10 UTC Sep 15 2019
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: BLUENETSEC-TP
Router(config)#do show crypto key mypubkey rsa
% Key pair was generated at: 16:26:33 UTC Sep 15 2019
Key name: BLUENETSEC
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00CB51D5
41F5616F 6DBFBFFB E077D455 55CBD87A 76C149C9 A723195B F6111A7D BBD65B85
75711715 30896552 01174783 C0A7A39C A62D564F 49125DCD F2687495 47970E7F
969D8CD6 1EA42C7F 7F68C3B4 92549CA2 3B5E59B4 E353D2FE 8E8C65F3 61CCC62A
A5B3C881 2D965556 9C3ECF33 9269BCF3 AA06FCF8 146AF2D2 DEBD33AF 53020301
0001
% Key pair was generated at: 16:26:33 UTC Sep 15 2019
Key name: BLUENETSEC.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D7FCA3 1BA635D0
58D36770 CE49EE61 D624F9F6 002E0757 4979D478 2BB4D68A 33049D96 CB582D0E
C02C7143 8726AFEA 87CE472F 997612E9 F357BA60 25652DA7 04FCCD5A 94208BAD
CCE019E7 70F946AD AD61E4FD 3BD5BB21 E8E37B5D 55711278 9D020301 0001
% Key pair was generated at: 16:48:02 UTC Sep 15 2019
Key name: Router
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 009A6A57 E2571AA5
90FB7547 9BC3EDE9 7B3E2E44 F47E9312 F9932B81 1CF50BF3 9A4A175E 8909FA41
2057F1E1 1D613536 0C9D085A 4F1BE457 C2B57806 BB43B16F 71020301 0001
As we can see, also by enrolling certificates the router allows us to create a crypto keypair without having the host name or the domain name configured. So technically speaking generating a crypto keypair does not really require neither the host name nor the domain name on the device. It is just the way the crypto key generate … command is coded makes us think that we cannot create the crypto keypair without the host name or the domain name configured, which as we could see is not really the case.
Last thing I want to show you in this post is how a certificate would look like if we have configured the host name and the domain name comparing to the previous example.
CERTIFICATE ENROLLMENT WITH THE HOST NAME AND THE DOMAIN NAME CONFIGURED ON CISCO ROUTER:
Router(config)#hostname Router-01
Router-01(config)#ip domain-name mylab.local
Router-01(config)#crypto pki trustpoint BLUENETSEC-TP
Router-01(ca-trustpoint)#enrollment selfsigned
Router-01(ca-trustpoint)#crypto pki enroll BLUENETSEC-TP
% Include the router serial number in the subject name? [yes/no]: no
*Sep 15 17:11:06.985: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
% Include an IP address in the subject name? [no]:
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
Router-01#show crypto pki certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
hostname=Router-01.mylab.local
Subject:
Name: Router-01.mylab.local
hostname=Router-01.mylab.local
Validity Date:
start date: 17:11:14 UTC Sep 15 2019
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: BLUENETSEC-TP
In the previous example, the certificate hostname was just defined as Router, which is the default hostname of Cisco routers. However, this time, the certificate hostname is Router-01.mylab.local. This is composed by the router hostname (Router-01) and the domain name (mylab.local) we configured. This is very important because in PKI deployment if the certificate does not include the right details, the device might fail authentication and might be treated as an untrusted device because of that. This tells us that configuring the correct hostname and domain name on a device is a must to prevent any issue in our PKI deployment.
I hope you enjoyed reading this post, and as always, I would love to hear your feedback. Thanks for reading!
Share via:
