Filter
Top Products
28-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Generating and Synchronizing RSA Keys
• The key server uses the private RSA key to authenticate rekey messages from the group members.
• The key server provides the public RSA key to group members during registration.
• The key server uses the private key to sign the key encryption key (KEK) and traffic encryption key
(TEK). The absence of an RSA key prevents the key server from creating the KEK and TEK.
• The RSA key is also used to sign messages between cooperative key servers.
When you start the RSA key synchronization process, the Synchronize Keys dialog box opens and shows
you the overall progress as well as the results for each key server. (You can click the Abort button at any
time to stop the process.) Security Manager performs the following steps:
1. Logs into all key servers and retrieves the RSA key information from each of them for the RSA key
label configured for the VPN.
2. Determines whether any key server has a key with the required label:
–
If no key server has an RSA key with the required label, Security Manager generates the key on
the primary key server (the one with the highest priority).
–
If one or more key server does not have the key, but all of the key servers that do have the key
have the identical keys, Security Manager uses the existing key on any key server that has it.
–
If more than one key server has the key, but the contents of the key is different among the
servers, you are asked if Security Manager can overwrite the keys. If you click Yes, Security
Manager uses the existing key on the primary key server.
If you click No, you can log into the key servers outside of Security Manager and manually
adjust the keys according to your requirements. However, all key servers must have the same
key contents for the RSA key. See below for an explanation of the process.
3. Creates an exportable version of the key.
4. Imports the key into each of the remaining key servers.
Tip For the synchronization process to succeed, the devices must be online and reachable and you must have
Deploy authorization. If the device connection fails or times out, ensure that you can ping the key server
from the Security Manager server. If it is your practice to deploy to file instead of to live devices, you
might need to manually generate and synchronize the keys as described below. If you do not have
sufficient authorization, you are prevented from initiating the process; someone else must do it.
Manually Generating and Synchronizing the RSA Key
If you do not want Security Manager to generate and synchronize keys, or if for some reason Security
Manager cannot complete the process, you can manually generate and synchronize keys using the
following sequence in Privileged EXEC (enable) configuration mode:
1. Generate the key on a key server using the following command, where rekeyrsa is the name of the
key (you can specify a name of your choosing). You must make the key exportable.
crypto key generate rsa general-keys label rekeyrsa modulus 1024 exportable
2. Create an exportable copy of the key using the following command, where passphrase is a string
used to encrypt the key for import (you can specify your own pass phrase):
crypto key export rsa rekeyrsa pem terminal 3des passphrase