CCENT - if device has no crypto, how can you create a certificate
HI,
I am in "Initial Device configuration, part 3" of CCENT,
Don Pezet mentions that by US law the crypto feature is stripped from cisco devices on export. Then he continues to explain how to create a self-signed certificate using crypto. All well.
But as I am from abroad, I most likely need to find a different solution.
Are there any suggestions what I could do?
How can I create that certificate without crypto on a cisco router or switch?
Thank you
Andreas
This is an interesting question that I'll try and get some more information from Don if he has a different take. This all has to do with symmetric encryption that is >64bit. These are pretty much controlled by the US government (e.g. AES and 3DES). So these are export restricted.
These symmetric encryptions that are < 64bit are not controlled by the US Government are exportable as long as the country is not on an embargo country ( Cuba , Iran , Myanmar, North Korea , Sudan, and Syria--today may include more).
So, here is the link for the Export Compliance.
The key here is that you may not dependent upon your country of origin be able to get any encryption higher than 64bit for your crypto even if you get a license that has crypto on it.
updated
I just spoke with Don about this, If you're keen on using Cisco only what I posted above is correct. Don said many times though, you may be able to work with a retailer to get the exclusion to the restriction but not always. He also said that usually, what you may have to do though to provide you the crypto you need to is find hardware vendor (non-Cisco) that may not be US based to help you with your Crypto needs.
