Chapter 3
Configuring SSL Certificates and Keys
Generating an RSA Key Pair
OL-5655-01
RSA key pairs are used to sign and encrypt packet data, and they are required
before another device (client or server) can exchange an SSL certificate with the
CSS. The key pair refers to a public key and its corresponding private (secret) key.
The CSS stores the generated RSA key pair as a file on the CSS.
Use the ssl genrsa command to generate an RSA private/public key pair for
asymmetric encryption. The syntax for this command is:
ssl genrsa filename numbits "password"
The variables are:
filename - The name of generated RSA key pair file. Enter an unquoted text
•
string with a maximum of 31 characters. The key pair filename is used only
for identification in the CSS.
numbits - The key pair strength. The number of bits in the key pair file defines
•
the size of the RSA key pair used to secure Web transactions. Longer keys
produce a more secure implementation by increasing the strength of the RSA
security policy. Available entries (in bits) are 512 (least security), 768
(normal security), 1024 (high security), and 2048 (highest security).
"password" - The password used to encode the RSA private key using DES
•
(Data Encryption Standard) before it is stored as a file on the CSS. Encoding
the file prevents unauthorized access to the imported certificate and private
key on the CSS. Enter the password as a quoted string with a maximum of 35
characters. The password appears in the CSS running configuration as a
DES-encoded string.
For example, to generate the RSA key pair myrsakeyfile1, enter:
(config) # ssl genrsa myrsakeyfile1 1024 "passwd123"
Please be patient this could take a few minutes
After you generate an RSA key pair, you can generate a Certificate Signing
Request (CSR) file for the RSA key pair file and transfer the certificate request to
the Certificate Authority (CA). This provide an added layer of security because
the RSA private key originates directly within the CSS and does not have to be
transported externally. You can then create a temporary certificate for internal
testing until the CA responds to the certificate request and returns the authentic
certificate. Each generated key pair must be accompanied by a certificate to work.
Generating Certificates and Private Keys in the CSS
Cisco Content Services Switch SSL Configuration Guide
3-5