crypto key generate rsa modulus [bits]
Generates an RSA key pair for SSH, encryption, or digital signatures on a Cisco IOS device, typically used to enable secure management access.
crypto key generate rsa modulus [bits]When to Use This Command
- Enabling SSH server on a router for secure remote administration
- Generating keys for IPsec VPN authentication
- Creating keys for HTTPS access to the device web interface
- Preparing keys for digital certificate enrollment
Command Examples
Generate 2048-bit RSA key pair for SSH
crypto key generate rsa modulus 2048The name for the keys will be: Router.example.com Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] (elapsed time was 3 seconds)
The output shows the key pair name based on the device hostname and domain. It prompts for modulus size (default 512). After generation, it confirms success and elapsed time. 'non-exportable' means keys cannot be copied off the device.
Generate 1024-bit RSA key pair with label
crypto key generate rsa modulus 1024 label SSH-KEYThe name for the keys will be: SSH-KEY Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] (elapsed time was 2 seconds)
Using the 'label' keyword overrides the default key name. The output confirms the label 'SSH-KEY' and generation success. This is useful when multiple key pairs are needed for different purposes.
Understanding the Output
The output begins with the key name (default: hostname.domain or custom label). It then prompts for modulus size; the default is 512 bits. After generation, it displays the bit length, exportability status (non-exportable by default), and elapsed time. A successful generation shows '[OK]'. If keys already exist, you may be prompted to overwrite. The key size should be at least 1024 bits for SSH; 2048 is recommended for security. Larger moduli (e.g., 4096) take longer to generate. The keys are stored in NVRAM and persist across reboots. Use 'show crypto key mypubkey rsa' to view the generated public key.
CCNA Exam Tips
CCNA exam expects you to know that RSA keys are required for SSH; the minimum modulus for SSH is 768 bits, but 1024 is commonly used.
Remember that the command is executed in global configuration mode, and the device must have a hostname and domain name set (via 'hostname' and 'ip domain-name') before generating keys.
The exam may test that 'crypto key generate rsa' overwrites existing keys; you must use 'crypto key zeroize rsa' to delete them first if needed.
Be aware that the 'label' option allows multiple key pairs, but only one pair can be used for SSH at a time.
Common Mistakes
Forgetting to set the hostname and domain name before generating keys, causing the command to fail or generate keys with a default name.
Using a modulus size less than 768 bits, which prevents SSH from working (SSH requires at least 768-bit keys).
Generating keys with a modulus that is too large (e.g., 4096) on low-end routers, causing excessive CPU usage and long generation times.
Related Commands
hostname [name]
Sets the hostname of the device, which is used to identify the router or switch in the CLI prompt and network management systems.
ip domain-name [domain]
Configures the default domain name appended to incomplete hostnames during DNS resolution, enabling the router to resolve unqualified names into fully qualified domain names.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions