Crypto Key Generate Rsa Command Not Working

Posted By admin On 16.12.20
Learning has never been so easy!
  1. Cisco Switch Generate Rsa Key
  2. Cisco Crypto Key Generate Rsa
  3. Cisco Crypto Key Gen Rsa
  4. Crypto Key Generate Rsa Command Not Working 2017

This How-To guide will walk you through setting up (configuring and enabling) SSH on a HP ProCurve Switch using the Web Interface.
It assumes you can access the switch via the web interface and have read-write access.
This walkthrough does NOT implement Client Public Key Authentication and has the Switch Authenticate against itself.

Crypto key generate rsa command missing

Caution: This process requires use of the Command Line Interface (CLI). This process can be utilized through a serial or telnet session. However these steps must be followed in order to prevent unintentionally blocking access to remote management. While Encrypting a File with a Password from the Command Line using OpenSSL is very useful in its own right, the real power of the OpenSSL library is its ability to support the use of public key cryptograph for encrypting or validating data in an unattended manner (where the password is not required to encrypt) is done with public keys. The Commands to Run. Why can't run crypto key generate rsa. The 3548 was end of sales in July 2002 (reference). They do not support ssh (only telnet for vty access) and thus do not have the capability to generate an RSA key.

4 Steps total

Step 1: Log into the Switch

Log into the switch's Web interface using an account with read-write permissions.

Step 2: Create a Certificate

Note: This step will create a self-signed certificate but you can also create a request and have your Enterprise CA sign it if your environment has it available.

On the Security Tab, Select Create Certificate/ Create Request.
Select Self-Signed from the drop down box and fill in the appropriate fields.
be sure the Validity start and end dates are current.

Click Apply Changes to create the certificate.

Step 3: Generate a Private/Public Key pair

Navigate over to the Configuration Tab
Click on 'telnet session to the switch console.' - This will open a black command prompt looking window.
Press any key to continue
Type in your username
Type in your password
Type in 'config' (This is the step it is left out of most other directions)
Type in 'crypto key generate ssh'
The switch will now generate a key.
If this step fails, verify your are in 'config'mode

Cisco crypto key gen rsa

Step 4: Enable SSH

Now that you have created a certificate and the appropriate keys, you can enable SSH on the switch.

Type in 'ip ssh' in the Telnet CLI.
Thats it. SSH should now be enabled.

You can verify its enabled by typing in 'show ip ssh'

After following these instructions, you should have been sucessfully able to configure and enable SSH on your HP ProCurve Switch. The steps and screenshot in this How-To were completed using the latest Firmware for that switch 'N.11.48'.
You should now be able to have Spiceworks scan your switches using SSH which will allow spiceworks to monitor and backup their configuration.

Published: Sep 07, 2011 · Last Updated: Sep 21, 2017

References

  • HP Access Security Guide

5 Comments

  • Poblano
    TeBear Dec 10, 2013 at 04:24pm

    I found there is no need for Step 1 or Step 2

    Telnet into switch and run following commands:

    >enable
    >config
    >crypto key generate ssh

    Seems to do the trick. looks like ssh is enabled out of the box (Step 4) on Procurve though you need to generate the key to be able to use it.

  • Serrano
    BoJlk Jan 6, 2014 at 07:49am

    Thanks for the steps.
    you must crypto key generate ssh in config mode before enabling SSH on your switch.
    Step 2 - Create a Certificate helpfull if you want to access with HTTPS to your switch.

  • Serrano
    Felix_da_CAT5 May 16, 2014 at 08:03am

    isnt it necessary to save the configuration after any alteration in order to keep working after a reboot?

  • Cayenne
    Nathan Bareham Aug 2, 2014 at 07:22pm

    i can scan, but the config does not seem to be backing up. any ideas?

  • Chipotle
    Dr-Drew Nov 25, 2015 at 10:00pm

    Always a good idea to 'write mem' when your done in the CLI.... :o)

While Encrypting a File with a Password from the Command Line using OpenSSLis very useful in its own right, the real power of the OpenSSL library is itsability to support the use of public key cryptograph for encrypting orvalidating data in an unattended manner (where the password is not required toencrypt) is done with public keys.

The Commands to Run

Generate a 2048 bit RSA Key

You can generate a public and private RSA key pair like this:

openssl genrsa -des3 -out private.pem 2048

Cisco Switch Generate Rsa Key

That generates a 2048-bit RSA key pair, encrypts them with a password you provideand writes them to a file. You need to next extract the public key file. You willuse this, for instance, on your web server to encrypt content so that it canonly be read with the private key.

Export the RSA Public Key to a File

This is a command that is

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

The -pubout flag is really important. Be sure to include it.

Next open the public.pem and ensure that it starts with-----BEGIN PUBLIC KEY-----. This is how you know that this file is thepublic key of the pair and not a private key.

To check the file from the command line you can use the less command, like this:

less public.pem

Do Not Run This, it Exports the Private Key

A previous version of the post gave this example in error.

openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM

The error is that the -pubout was dropped from the end of the command.That changes the meaning of the command from that of exporting the public keyto exporting the private key outside of its encrypted wrapper. Inspecting theoutput file, in this case private_unencrypted.pem clearly shows that the keyis a RSA private key as it starts with -----BEGIN RSA PRIVATE KEY-----.

Visually Inspect Your Key Files

Cisco Crypto Key Generate Rsa

It is important to visually inspect you private and public key files to makesure that they are what you expect. OpenSSL will clearly explain the nature ofthe key block with a -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PUBLIC KEY-----.

You can use less to inspect each of your two files in turn:

  • less private.pem to verify that it starts with a -----BEGIN RSA PRIVATE KEY-----
  • less public.pem to verify that it starts with a -----BEGIN PUBLIC KEY-----

The next section shows a full example of what each key file should look like.

The Generated Key Files

The generated files are base64-encoded encryption keys in plain text format.If you select a password for your private key, its file will be encrypted withyour password. Be sure to remember this password or the key pair becomes useless.

The private.pem file looks something like this:

The public key, public.pem, file looks like:

Protecting Your Keys

Depending on the nature of the information you will protect, it’s important tokeep the private key backed up and secret. The public key can be distributedanywhere or embedded in your web application scripts, such as in your PHP,Ruby, or other scripts. Again, backup your keys!

Remember, if the key goes away the data encrypted to it is gone. Keeping aprinted copy of the key material in a sealed envelope in a bank safety depositbox is a good way to protect important keys against loss due to fire or harddrive failure.

Oh, and one last thing.

If you, dear reader, were planning any funny business with the private key that I have just published here. Know that they were made especially for this series of blog posts. I do not use them for anything else.

Cisco Crypto Key Gen Rsa

Found an issue?

Rietta plans, develops, and maintains applications.

Learn more about our services or drop us your email and we'll e-mail you back.

Crypto Key Generate Rsa Command Not Working 2017

Other Blog Articles Published by Rietta.com