crypto key generate rsa
Instructs the Cisco IOS to generate a unique pair of Rivest-Shamir-Adleman (RSA) public and private cryptographic keys. Without these keys, the device's internal Secure Shell (SSH) server remains dormant and cannot accept encrypted management connections.
Quick Reference
Router(config)#crypto key zeroize rsaSyntax & Scope Mechanics
When you execute this command, the router mathematically combines its configured hostname and ip domain-name to name the key file. This is why those two prerequisites are strictly required before the router will allow you to generate the keys.
- Interactive Prompt: If you omit the modulus size from the command, the CLI will pause and explicitly ask you how many bits in the modulus you want.
- [modulus-size]: Defines the strength of the encryption lock. The CCNA standard acceptable range is between 360 and 2048. Higher numbers are drastically more secure but take slightly longer for the CPU to compute during the initial login handshake.
CLI Deployment Scenarios
Scenario 1: The Full SSHv2 Deployment Sequence
Taking a fresh router out of the box, disabling Telnet, and forcing all network administrators to log in using secure SSH.
CCNA Exam Gotchas
The Modulus Size Minimum for SSHv2
Older Cisco IOS images default to a 512-bit modulus size if you press "Enter" without specifying a number. The CCNA will ask what happens next: The router will only support SSH version 1. To run the modern, secure SSH version 2 protocol, your RSA keys must have a modulus size of at least 768 bits (though 1024 or 2048 is the industry standard). To force v2 after generating a 1024-bit key, use the global command ip ssh version 2.
The Phantom Name Rejection
If you execute the crypto command and the router spits back % Please define a domain-name first. or % Please define a hostname other than Router., do not panic. The router strictly refuses to use the factory default Router or Switch hostname to build the cryptographic hash. You must change the hostname to something unique first.