|
Command or Action |
Purpose |
|
enable
Example:
Device> enable
|
Enables privileged EXEC mode.
-
Enter your password if prompted.
|
|
crypto pki token token-name admin ] change-pin [pin]
Example:
Device# crypto pki token usbtoken0 admin change-pin
|
(Optional) Changes the user PIN number on the USB token.
-
If the PIN is not changed, the default PIN 1234567890 is used.
Note |
After the PIN has been changed, you must reset the login failure count to zero (via the crypto pki token max-retries command). The maximum number of allowable login failures is set (by default) to 15. |
|
|
crypto pki token token-name device-name: label token-label
Example:
Device# crypto pki token mytoken usb0: label newlabel
|
(Optional) Sets or changes the name of the USB token.
-
The value of the token-label argument may be up to 31 alphanumeric characters in length including dashes and underscores.
Tip |
This command is useful when configuring multiple USB tokens for automatic login, secondary configuration files, or other token specific settings. |
|
|
configure terminal
Example:
Device# configure terminal
|
Enters global configuration mode. |
|
crypto key storage device-name:
Example:
Device(config)# crypto key storage usbtoken0:
|
(Optional) Sets the default RSA key storage location for newly created keys.
Note |
Regardless of configuration settings, existing keys are stored on the device from where they were originally loaded. |
|
|
crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage device-name:] [redundancy] [on device-name]:
Example:
Device(config)# crypto key generate rsa label tokenkey1 storage usbtoken0:
|
(Optional) Generates the RSA key pair for the certificate server.
-
The storage keyword specifies the key storage location.
-
When specifying a label name by specifying the key-label argument, you must use the same name for the label that you plan to use for the certificate server (through the crypto pki server cs-label command). If a key-label argument is not specified, the default value, which is the fully qualified domain name (FQDN) of the device, is used.
If the exportable RSA key pair is manually generated after the CA certificate has been generated, and before issuing the no shutdown command, then use the crypto ca export pkcs12 command to export a PKCS12 file that contains the certificate server certificate and the private key.
-
By default, the modulus size of a CA key is 1024 bits. The recommended modulus for a CA key is 2048 bits. The range for a modulus size of a CA key is from 350 to 4096 bits.
-
The on keyword specifies that the RSA key pair is created on the specified device, including a Universal Serial Bus (USB) token, local disk, or NVRAM. The name of the device is followed by a colon (:).
Note |
Keys created on a USB token must be 2048 bits or less. |
|
|
crypto key move rsa keylabel [non-exportable | [on | storage]] location
Example:
Device(config)# crypto key move rsa keypairname non-exportable on token
|
(Optional) Moves existing Cisco IOS credentials from the current storage location to the specified storage location. By default, the RSA key pair remains stored on the current device. Generating the key on the device and moving it to the token takes less than a minute. Generating a key on the token, using the on keyword could take five to ten minutes, and is dependent on hardware key generation routines available on the USB token. When an existing RSA key pair is generated in Cisco IOS, stored on a USB token, and used for an enrollment, it may be necessary to move those existing RSA key pairs to an alternate location for permanent storage. This command is useful when using SDP with USB tokens to deploy credentials. |
|
crypto pki token {token-name | default} removal timeout [seconds]
Example:
Device(config)# crypto pki token usbtoken0 removal timeout 60
|
(Optional) Sets the time interval, in seconds, that the device waits before removing the RSA keys that are stored in the USB token after the USB token has been removed from the device.
Note |
If this command is not issued, all RSA keys and IPsec tunnels associated with the USB token are torn down immediately after the USB token is removed from the device. |
|
|
crypto pki token {token-name | default} max-retries [number]
Example:
Device(config)# crypto pki token usbtoken0 max-retries 20
|
(Optional) Sets the maximum number of consecutive failed login attempts allowed before access to the USB token is denied.
-
By default, the value is set at 15.
|
|
exit
Example:
Device(config)# exit
|
Exits global configuration mode. |
|
copy usbflash[0-9]:filename destination-url
Example:
Device# copy usbflash0:file1 nvram:
|
Copies files from USB token to the device.
-
destination-url--See the copy command page documentation for a list of supported options.
|
|
show usbtoken[0-9]:filename
Example:
Device# show usbtoken:usbfile
|
(Optional) Displays information about the USB token. You can use this command to verify whether the USB token has been logged in to the device. |
|
crypto pki token token-name logout
Example:
Device# crypto pki token usbtoken0 logout
|
Logs the device out of the USB token.
Note |
If you want to save any data to the USB token, you must log back into the token. |
|