This blog post discusses extracting a private key from Cisco IOS’s private-config file. I recently generated a keypair on an IOS router and had forgot to flag it as “exportable”, making it difficult to backup. As the key-pair was used for IPSec authentication it was an important key to backup.
The first step is to recover private-config from the device, which I’m not going to cover in this post. Opening the file in a text editor, locate the section that begins “crypto RSA-key-pair” and save the hexadecimal values to a text file, the section will look like this:
crypto RSA-key-pair MyKey 0 1440004978 308204BC 02010030 0D06092A 864886F7 0D010101 05000482 04A63082 04A20201 00028201 0100DE8D 63241465 57356A77 57FC2C3D BBDD8454 F25B6B1A DB487C6D AA0C1157 F665AF18 08EFC785 C23D3185 06F3D51A 42C94F06 5A97756A C83693C6 ...
When saving to a text file, omit the section beginning “crypto RSA-key-pair”, only the hexadecimal values are required.
With the certificate saved to a text file the next step is to convert the above to a DER encoded file that can be used with tools like OpenSSL. The following Perl script should do the job:
#!/usr/bin/perl foreach (<>) { s/[^a-fA-F0-9]//g; print join("", pack("H*", $_)); } ./hex2.der.pl < priv.hex > priv.der
Now convert the DER encoded file to PEM format using OpenSSL:
openssl rsa -in priv.der -inform der > priv.pem
Next generate a public out from the private key:
openssl rsa -in priv.pem -pubout
The final step is to protect the private key with a password. This will be required before you can import the key to another IOS device:
openssl rsa -in priv.pem -des
You can now import the key once more using “crypto key import rsa priv.pem pem term YourPassword”
Excellent post! Can you share how to recover private-config from the Cisco IOS router? I also have the same problem and need to extract non-exportable private key from Cisco private-config. Thanks!