Step 1 |
enable
|
Enables privileged EXEC mode.
|
Step 2 |
crypto pki token
token-name
admin
]
change-pin [pin ]
Device# crypto pki token usbtoken0 admin change-pin
|
(Optional) Changes the user PIN number on the USB token.
Note
|
After the PIN has been changed, you must reset the login failure count to zero (via the
crypto
pki
token
max-retries command). The maximum number of allowable login failures is set (by default) to 15.
|
|
Step 3 |
crypto pki token
token-name
device-name:
label
token-label
Device# crypto pki token mytoken usb0: label newlabel
|
(Optional) Sets or changes the name of the USB token.
Tip
|
This command is useful when configuring multiple USB tokens for automatic login, secondary configuration files, or other
token specific settings.
|
|
Step 4 |
configure terminal
Device# configure terminal
|
Enters global configuration mode.
|
Step 5 |
crypto key storage
device-name:
Device(config)# crypto key storage usbtoken0:
|
(Optional) Sets the default RSA key storage location for newly created keys.
Note
|
Regardless of configuration settings, existing keys are stored on the device from where they were originally loaded.
|
|
Step 6 |
crypto key generate rsa [general-keys |
usage-keys |
signature |
encryption] [label
key-label] [exportable] [modulus
modulus-size] [storage
device-name:] [redundancy] [on
device-name]:
Device(config)# crypto key generate rsa label tokenkey1 storage usbtoken0:
|
(Optional) Generates the RSA key pair for the certificate server.
-
The
storage keyword specifies the key storage location.
-
When specifying a label name by specifying the
key-label argument, you must use the same name for the label that you plan to use for the certificate server (through the
crypto pki server
cs-label command). If a
key-label argument is not specified, the default value, which is the fully qualified domain name (FQDN) of the device, is used.
If the exportable RSA key pair is manually generated after the CA certificate has been generated, and before issuing the
no
shutdown command, then use the
crypto
ca
export
pkcs12 command to export a PKCS12 file that contains the certificate server certificate and the private key.
-
By default, the modulus size of a CA key is 1024 bits. The recommended modulus for a CA key is 2048 bits. The range for a
modulus size of a CA key is from 350 to 4096 bits.
-
The
on keyword specifies that the RSA key pair is created on the specified device, including a Universal Serial Bus (USB) token,
local disk, or NVRAM. The name of the device is followed by a colon (:).
Note
|
Keys created on a USB token must be 2048 bits or less.
|
|
Step 7 |
crypto key move rsa
keylabel [non-exportable | [on |
storage]]
location
Device(config)# crypto key move rsa keypairname non-exportable on token
|
(Optional) Moves existing Cisco IOS credentials from the current storage location to the specified storage location.
By default, the RSA key pair remains stored on the current device.
Generating the key on the device and moving it to the token takes less than a minute. Generating a key on the token, using
the
on keyword could take five to ten minutes, and is dependent on hardware key generation routines available on the USB token.
When an existing RSA key pair is generated in Cisco IOS, stored on a USB token, and used for an enrollment, it may be necessary
to move those existing RSA key pairs to an alternate location for permanent storage.
This command is useful when using SDP with USB tokens to deploy credentials.
|
Step 8 |
crypto pki token {token-name |
default}
removal timeout [seconds]
Device(config)# crypto pki token usbtoken0 removal timeout 60
|
(Optional) Sets the time interval, in seconds, that the device waits before removing the RSA keys that are stored in the
USB token after the USB token has been removed from the device.
Note
|
If this command is not issued, all RSA keys and IPsec tunnels associated with the USB token are torn down immediately after
the USB token is removed from the device.
|
|
Step 9 |
crypto pki token {token-name |
default}
max-retries [number]
Device(config)# crypto pki token usbtoken0 max-retries 20
|
(Optional) Sets the maximum number of consecutive failed login attempts allowed before access to the USB token is denied.
|
Step 10 |
exit
|
Exits global configuration mode.
|
Step 11 |
copy usbflash[0-9]:filename
destination-url
Device# copy usbflash0:file1 nvram:
|
Copies files from USB token to the device.
|
Step 12 |
show usbtoken[0-9]:filename
Device# show usbtoken:usbfile
|
(Optional) Displays information about the USB token. You can use this command to verify whether the USB token has been logged
in to the device.
|
Step 13 |
crypto pki token
token-name
logout
Device# crypto pki token usbtoken0 logout
|
Logs the device out of the USB token.
Note
|
If you want to save any data to the USB token, you must log back into the token.
|
|