Cisco ASA Series Cli Configuration Manual page 946

Configuring Digital Certificates
Configuring Key Pairs
To generate key pairs, perform the following steps:
Command
Step 1
crypto key generate rsa
Example:
hostname/contexta(config)# crypto key generate rsa
Step 2
crypto key generate rsa label key-pair-label
Example:
hostname/contexta(config)# crypto key generate rsa
label exchange
Step 3
show crypto key name of key
Example:
hostname/contexta(config)# show crypto key
examplekey
Step 4
write memory
Example:
hostname(config)# write memory
Removing Key Pairs
To remove key pairs, perform the following steps:
Command
crypto key zeroize rsa
Example:
hostname(config)# crypto key zeroize rsa
Examples
The following example shows how to remove key pairs:
hostname(config)# crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no] y
Cisco ASA Series CLI Configuration Guide
1-10
Purpose
Generates one, general-purpose RSA key pair. The
default key modulus is 1024. To specify other
modulus sizes, use the modulus keyword.
Note
(Optional) Assigns a label to each key pair. The label
is referenced by the trustpoint that uses the key pair.
If you do not assign a label, the key pair is
automatically labeled, Default-RSA-Key.
Verifies key pairs that you have generated.
Saves the key pair that you have generated.
Purpose
Removes key pairs.
Chapter 1 Configuring Digital Certificates
Many SSL connections using identity
certificates with RSA key pairs that exceed
1024 bits can cause high CPU usage on the
ASA and rejected clientless logins.