<div>
thanks Soulja and Frabble, 
 
Is it similar to a SSL VPN connection? 
 
There is no IPSEC with SSH right? 
 
The tunnel is formed when I put the ip address in Secure CRT or Putty and then I get a message that I have not ever logged in to that switch or router before and if I continue a SSL tunnel is formed? 
 
I have only entered the &quot;crypto key generate rsa&quot; and then hit enter key 
Then it prompts me for modulus size default of 512 but I usually change to 1024. 
 
But all I need is to add a host name to the router and domain name and I have never imported a certificate or anything. 
 
From Cisco document: 
 
crypto key zeroize rsa 
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode. 
 
crypto key zeroize rsa [key-pair-label] 
 
Syntax Description 
&nbsp;key-pair-label 
&nbsp;(Optional) Specifies the name of the key pair that router will delete. 
&nbsp; 
 
 
 
Defaults 
No default behavior or values. 
 
Command Modes 
Global configuration 
 
Command History 
&nbsp;Release &nbsp;Modification &nbsp; 
11.3 T 
&nbsp;This command was introduced. 
&nbsp; 
12.2(8)T 
&nbsp;The key-pair-label argument was added. 
&nbsp; 
 
 
 
Usage Guidelines 
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted: 
 
•Ask the certification authority (CA) administrator to revoke your router's certificates at the CA; you must supply the challenge password you created when you originally obtained the router's certificates using the crypto ca enroll command. 
 
•Manually remove the router's certificates from the configuration by removing the configured trustpoint (using the no crypto ca trustpoint name command.) 
 
 
 
-------------------------------------------------------------------------------- 
 
Note This command cannot be undone (after you save your configuration), and after RSA keys have been deleted, you cannot use certificates or the CA or participate in certificate exchanges with other IP Security (IPSec) peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again. 
 
 
-------------------------------------------------------------------------------- 
 
This command is not saved to the configuration. 
 
Examples 
The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the certificate of the router be revoked. The administrator then deletes the certificate of the router from the configuration. 
 
crypto key zeroize rsa 
crypto ca certificate chain 
&nbsp;no certificate 
<a href="http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_c2g.html#wp1104892" rel="ugc">http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_c2g.html#wp1104892</a> 

</div>

<div>
The way ssh works, is that the client presents its public key to the server. The server encrypts communication using that public key, and using it, sends its own public key back to the client. That communication can only be decypted using the client's private key. So now the client gets the server's public key and will encypt all future communication to the server using that public key. 
 
Now both sides have each other's public keys and have verified that they can decrypt communication from the other side. 
</div>

<div>
<div class="content wysiwyg-content">
When crypto key generate RSA is run it creates a Pair of RSA keys (certificates?); one public and one private key. 
 
How does the client (secure crt, putty, etc.) and router or switch verify each others keys as valid? 
 
The keys are generated locally on the router so I don't believe any external CA is able to verify the keys. Do they just trust each others key as valid and go ahead and make an SSH tunnel to encrypt their communication? Assuming that there is no harm in doing that because a valid router username and password is still required to enter the router or switch?
</div>
</div>

When crypto key generate RSA is run it creates a Pair of RSA keys (certificates?); one public and one private key.

How does the client (secure crt, putty, etc.) and router or switch verify each others keys as valid?

The keys are generated locally on the router so I don't believe any external CA is able to verify the keys. Do they just trust each others key as valid and go ahead and make an SSH tunnel to encrypt their communication? Assuming that there is no harm in doing that because a valid router username and password is still required to enter the router or switch?

SSH and crypto key generate command

Telnet is an application layer protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. SSH was designed as a replacement for Telnet and for unsecured remote shell protocols. The term telnet is also used to refer to the software that implements the client part of the protocol. SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server.

SSH / Telnet Software

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

Routers

Network design and methodology, also known as network architecture, is the design of a communication network. It is a framework for the specification of a network's physical components and their functional organization and configuration, its operational principles and procedures, as well as data formats used in its operation. In telecommunication, the specification of a network architecture may also include a detailed description of products and services delivered via a communications network, as well as detailed rate and billing structures under which services are compensated.