crypto (user and privi exec modes)

Enables digital certificate configuration and RSA Keypair management. Digital certificates are issued by CAs and contain user or device specific information, such as name, public key, IP address, serial number, company name etc. Use this command to generate, delete, export, or import encrypted RSA Keypairs and generate Certificate Signing Request (CSR).
This command also enables trustpoint configuration. Trustpoints contain the CA's identity and configuration parameters.
Note

Note

This command and its syntax is common to both the User Executable and Privilege Executable configuration modes.

Supported in the following platforms:

Syntax

crypto [key|pki]

crypto key [export|generate|import|zeroize]

crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL {background|on|passphrase}

crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> 
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}

crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|on|passphrase}

crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> 
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}

crypto pki [authenticate|export|generate|import|zeroise]

crypto pki authenticate <TRUSTPOINT-NAME> <LOCATION-URL> {background} {(on <DEVICE-NAME>)}

crypto pki export [request|trustpoint]

crypto pki export request [generate-rsa-key|short|use-rsa-key] <RSA-KEYPAIR-NAME> 
[autogen-subject-name|subject-name]

crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name 
[<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>]

crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name 
(<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)

crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-key] 
<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> 
(<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)

crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> 
background} {(on <DEVICE-NAME)}

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> 
[autogen-subject-name|subject-name]

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> 
autogen-subject-name {(email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> 
subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> 
{(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}

crypto pki import [certificate|crl|trustpoint]

crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on <DEVICE-NAME>})

crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL> 
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

Parameters

crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.
export rsa <RSA-KEYPAIR-NAME> Exports an existing RSA Keypair to a specified destination
  • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.
<EXPORT-TO-URL> Specify the RSA Keypair destination address.

Both IPv4 and IPv6 address formats are supported. After specifying the destination address (where the RSA Keypair is exported), configure one of the following parameters: background or passphrase.
background Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on.
passphrase <KEY-PASSPHRASE> background Optional. Encrypts RSA Keypair before exporting
  • <KEY-PASSPHRASE> – Specify a passphrase to encrypt the RSA Keypair.
    • background – Optional. Performs export operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the export on.
on <DEVICE-NAME> The following parameter is recursive and common to all of the above parameters:
  • on <DEVICE-NAME> – Optional. Performs export operation on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}
key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.
generate rsa <RSA-KEYPAIR-NAME> [2048|4096] Generates a new RSA Keypair
  • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.
    • [2048|4096] – Sets the size of the RSA key in bits. The options are 2048 bits and 4096 bits. The default size is 2048 bits.

    After specifying the key size, optionally specify the device (access point or controller) to generate the key on.
on <DEVICE-NAME> Optional. Generates the new RSA Keypair on a specified device
  • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.
import rsa <RSA-KEYPAIR-NAME> Imports a RSA Keypair from a specified source
  • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.
<IMPORT-FROM-URL> Specify the RSA Keypair source address.

Both IPv4 and IPv6 address formats are supported. After specifying the source address (where the RSA Keypair is imported from), configure one of the following parameters: background or passphrase.
background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on.
passphrase <KEY-PASSPHRASE> background Optional. Decrypts the RSA Keypair after importing
  • <KEY-PASSPHRASE> – Specify the passphrase to decrypt the RSA Keypair.
    • background – Optional. Performs import operation in the background. After specifying the passphrase, optionally specify the device (access point, controller, or service platform) to perform the import on.
on <DEVICE-NAME> The following parameter is recursive and common to the ‘background‘ and ‘passphrase‘ keywords:
  • on <DEVICE-NAME> – Optional. Performs import operation on a specific device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}
key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.
zeroize rsa <RSA-KEYPAIR-NAME> Deletes a specified RSA Keypair
  • <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.
Note: All device certificates associated with this key will also be deleted.
force Optional. Forces deletion of all certificates associated with the specified RSA Keypair. Optionally specify a device on which to force certificate deletion.
on <DEVICE-NAME> The following parameter is recursive and optional:
  • on <DEVICE-NAME> – Optional. Deletes all certificates associated with the RSA Keypair on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-NAME>)}
pki Enables Private Key Infrastructure (PKI) management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated Certificate Authority (CA) certificates.
authenticate <TRUSTPOINT-NAME> Authenticates a trustpoint and imports the corresponding CA certificate
  • <TRUSTPOINT-NAME> – Specify the trustpoint name.
url Specify CA‘s location. Both IPv4 and IPv6 address formats are supported.
Note: The CA certificate is imported from the specified location.
background Optional. Performs authentication in the background. If selecting this option, you can optionally specify the device (access point, controller, or service platform) to perform the export on.
on <DEVICE-NAME> The following parameter is recursive and optional:
  • on <DEVICE-NAME> – Optional. Performs authentication on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
export request Exports CSR to the CA for digital identity certificate. The CSR contains applicant‘s details and RSA Keypair‘s public key.
[generate-rsa-key| use-rsa-key] <RSA-KEYPAIR-NAME> Generates a new RSA Keypair or uses an existing RSA Keypair
  • generate-rsa-key – Generates a new RSA Keypair for digital authentication
  • use-rsa-key – Uses an existing RSA Keypair for digital authentication
    • <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name.
autogen-subject-name Auto generates subject name from configuration parameters. The subject name identifies the certificate.
<EXPORT-TO-URL> Specify the CA‘s location. Both IPv4 and IPv6 address formats are supported.
Note: The CSR is exported to the specified location.
email <SEND-TO-EMAIL> Exports CSR to a specified e-mail address
  • <SEND-TO-EMAIL> – Specify the CA‘s e-mail address.
fqdn <FQDN> Exports CSR to a specified FQDN (Fully Qualified Domain Name)
  • <FQDN> – Specify the CA‘s FQDN.
ip-address <IP> Exports CSR to a specified device or system
  • <IP> – Specify the CA‘s IP address.
 
crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
export request Exports CSR to the CA for a digital identity certificate. The CSR contains applicant‘s details and RSA Keypair‘s public key.
[generate-rsa-key| short [generate-rsa-key|use-rsa-key]| use-rsa-key] <RSA-KEYPAIR-NAME> Generates a new RSA Keypair or uses an existing RSA Keypair
  • generate-rsa-key – Generates a new RSA Keypair for digital authentication
  • short [generate-rsa-key|use-rsa-key] – Generates and exports a shorter version of the CSR
    • generate-rsa-key – Generates a new RSA Keypair for digital authentication. If generating a new RSA Keypair, specify a name for it.
    • use-rsa-key – Uses an existing RSA Keypair for digital authentication. If using an existing RSA Keypair, specify its name.
  • use-rsa-key – Uses an existing RSA Keypair for digital authentication
    • <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name.
subject-name <COMMON-NAME> Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate
  • <COMMON-NAME> – Specify the common name used with the CA certificate. The name should enable you to identify the certificate easily (2 to 64 characters in length).
<COUNTRY> Sets the deployment country code (2 character ISO code)
<STATE> Sets the state name (2 to 64 characters in length)
<CITY> Sets the city name (2 to 64 characters in length)
<ORGANIZATION> Sets the organization name (2 to 64 characters in length)
<ORGANIZATION-UNIT> Sets the organization unit (2 to 64 characters in length)
<EXPORT-TO-URL> Specify the CA‘s location. Both IPv4 and IPv6 address formats are supported. The CSR is exported to the specified location.
email <SEND-TO-EMAIL> Exports CSR to a specified e-mail address
  • <SEND-TO-EMAIL> – Specify the CA‘s e-mail address.
fqdn <FQDN> Exports CSR to a specified FQDN
  • <FQDN> – Specify the CA‘s FQDN.
ip-address <IP> Exports CSR to a specified device or system
  • <IP> – Specify the CA‘s IP address.
 
crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
export trustpoint <TRUSTPOINT-NAME> Exports a trustpoint along with CA certificate, (Certificate Revocation List) (CRL), server certificate, and private key
  • <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).
<EXPORT-TO-URL> Specify the destination address. Both IPv4 and IPv6 address formats are supported. The trustpoint is exported to the address specified here.
background Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on
passphrase <KEY-PASSPHRASE> background Optional. Encrypts the key with a passphrase before exporting
  • <KEY-PASSPHRASE> – Specify the passphrase to encrypt the trustpoint.
    • background – Optional. Performs export operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the export on.
on <DEVICE-NAME> The following parameter is recursive and common to the ‘background‘ and ‘passphrase‘ keywords:
  • on <DEVICE-NAME> – Optional. Performs export operation on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates.
generate Generates a certificate and a trustpoint
self-signed <TRUSTPOINT-NAME> Generates a self-signed certificate and a trustpoint
  • <TRUSTPOINT-NAME> – Specify a name for the certificate and its trustpoint.
[generate-rsa-key| use-rsa-key] <RSA-KEYPAIR-NAME> Generates a new RSA Keypair, or uses an existing RSA Keypair
  • generate-rsa-key – Generates a new RSA Keypair for digital authentication
  • use-rsa-key – Uses an existing RSA Keypair for digital authentication
    • <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name.
autogen-subject-name Auto generates the subject name from the configuration parameters. The subject name helps to identify the certificate.
email <SEND-TO-EMAIL> Optional. Exports the self-signed certificate to a specified e-mail address
  • <SEND-TO-EMAIL> – Specify the e-mail address.
fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN
  • <FQDN> – Specify the FQDN.
ip-address <IP> Optional. Exports the self-signed certificate to a specified device or system
  • <IP> – Specify the device‘s IP address.
on <DEVICE-NAME> Optional. Exports the self-signed certificate on a specified device
  • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates.
generate self-signed <TRUSTPOINT-NAME> Generates a self-signed certificate and a trustpoint
  • <TRUSTPOINT-NAME> – Specify a name for the certificate and its trustpoint.
[generate-rsa-key| use-rsa-key] <RSA-KEYPAIR-NAME> Generates a new RSA Keypair, or uses an existing RSA Keypair
  • generate-rsa-key – Generates a new RSA Keypair for digital authentication
  • use-rsa-key – Uses an existing RSA Keypair for digital authentication
    • <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name.
subject-name <COMMON-NAME> Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate
  • <COMMON-NAME> – Specify the common name used with this certificate. The name should enable you to identify the certificate easily and should not exceed 2 to 64 characters in length.
<COUNTRY> Sets the deployment country code (2 character ISO code)
<STATE> Sets the state name (2 to 64 characters in length)
<CITY> Sets the city name (2 to 64 characters in length)
<ORGANIZATION> Sets the organization name (2 to 64 characters in length)
<ORGANIZATION-UNIT> Sets the organization unit (2 to 64 characters in length)
email <SEND-TO-EMAIL> Optional. Exports the self-signed certificate to a specified e-mail address
  • <SEND-TO-EMAIL> – Specify the e-mail address.
fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN
  • <FQDN> – Specify the FQDN.
ip-address <IP> Optional. Exports the self-signed certificate to a specified device or system
  • <IP> – Specify the device‘s IP address.
 
crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on <DEVICE-NAME>)}
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
import Imports certificates, CRL, or a trustpoint to the selected device
[certificate|crl] <TRUSTPOINT-NAME> Imports a signed server certificate or CRL
  • certificate – Imports signed server certificate
  • crl – Imports CRL
    • <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).
<IMPORT-FROM-URL> Specify the signed server certificate or CRL source address. Both IPv4 and IPv6 address formats are supported.

The server certificate or the CRL (based on the parameter passed in the preceding step) is imported from the location specified here.
background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on.
on <DEVICE-NAME> The following parameter is recursive and optional:
  • on <DEVICE-NAME> – Optional. Performs import operation on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
import Imports certificates, CRL, or a trustpoint to the selected device
trustpoint <TRUSTPOINT-NAME> Imports a trustpoint and its associated CA certificate, server certificate, and private key
  • <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).
<IMPORT-FROM-URL> Specify the trustpoint source address. Both IPv4 and IPv6 address formats are supported.
background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on.
passphrase <KEY-PASSPHRASE> background Optional. Decrypts trustpoint with a passphrase after importing
  • <KEY-PASSPHRASE> – Specify the passphrase. After specifying the passphrase, optionally specify the device to perform import on.
    • background – Optional. Performs import operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the import on.
on <DEVICE-NAME> The following parameter is recursive and optional:
  • on <DEVICE-NAME> – Optional. Performs import operation on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
 
crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
zeroize trustpoint <TRUSTPOINT-NAME> Imports certificates, CRL, or a trustpoint to the selected device
[certificate|crl] <TRUSTPOINT-NAME> Deletes a trustpoint and its associated CA certificate, server certificate, and private key
  • <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).
del-key Optional. Deletes the private key associated with the server certificate. Optionally specify the device to perform deletion on.
on <DEVICE-NAME> The following parameter is recursive and optional:
  • on <DEVICE-NAME> – Optional. Deletes the trustpoint on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.

Usage Guidelines

The system supports both IPv4 and IPv6 address formats. Provide source and destination locations using any one of the following options:

Examples

NOC-NX9500#crypto key generate rsa key 2048
RSA key size > 2048. Key generation started in background.
NOC-NX9500#

Related Commands

no (user-exec-mode) Removes server certificates, trustpoints and their associated certificates
9036316-02 REV AB