Extract private key from Cisco private-config

This blog post discusses extracting a private key from Cisco IOS’s private-config file. I recently generated a keypair on an IOS router and had forgot to flag it as “exportable”, making it difficult to backup. As the key-pair was used for IPSec authentication it was an important key to backup.

The first step is to recover private-config from the device, which I’m not going to cover in this post. Opening the file in a text editor, locate the section that begins “crypto RSA-key-pair” and save the hexadecimal values to a text file, the section will look like this:

crypto RSA-key-pair MyKey 0 1440004978
308204BC 02010030 0D06092A 864886F7 0D010101 05000482 04A63082 04A20201
00028201 0100DE8D 63241465 57356A77 57FC2C3D BBDD8454 F25B6B1A DB487C6D
AA0C1157 F665AF18 08EFC785 C23D3185 06F3D51A 42C94F06 5A97756A C83693C6

When saving to a text file, omit the section beginning “crypto RSA-key-pair”, only the hexadecimal values are required.

With the certificate saved to a text file the next step is to convert the above to a DER encoded file that can be used with tools like OpenSSL. The following Perl script should do the job:

foreach (<>) {
print join("", pack("H*", $_));
./hex2.der.pl < priv.hex > priv.der

Now convert the DER encoded file to PEM format using OpenSSL:

openssl rsa -in priv.der -inform der > priv.pem

Next generate a public out from the private key:

openssl rsa -in priv.pem -pubout

The final step is to protect the private key with a password. This will be required before you can import the key to another IOS device:

openssl rsa -in priv.pem -des

You can now import the key once more using “crypto key import rsa priv.pem pem term YourPassword”

Published by

Dave Hope

Dave works in IT for a leading UK based retirement developer, in his spare time he enjoys tinkering with technology and rock climbing.

One thought on “Extract private key from Cisco private-config”

  1. Excellent post! Can you share how to recover private-config from the Cisco IOS router? I also have the same problem and need to extract non-exportable private key from Cisco private-config. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.