I will deliberately skip the detail of how to generate an RSA private key, create a CSR and get this signed by a CA. Straight to the chase – here is how to import the key and certificate on to an IOS router.
openssl rsa -in foo.key -pubout to display the corresponding public key for your private key
foo.key. This will begin with
BEGIN PUBLIC KEY.
Next, ensure your private key has a password – use
openssl rsa -in foo.key. If it doesn’t, encrypt it with 3DES using
openssl rsa -in foo.key -3des and specify a password.
On the IOS device in question, use
crypto key import rsa foo pem terminal to import the PEM encoded public key:
cr(config)#crypto key import rsa foo pem terminal strongpassword
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
Ensure there is a complete blank line after pasting the public key, and the router will then prompt:
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
Paste in the 3DES-encrypted key – it will begin
BEGIN RSA PRIVATE KEY, and type ‘quit’ on a blank line at the end.
That’s it. It’s not straightforward, and I know I’ll forget if I don’t write it down!