Karsten Iwen made an interesting comment to my “Don't let a lab rat anywhere near a production box” post: you should avoid the SSH/VPN key generation mistakes by using key labels. He also wrote a post explaining the concept but since it’s in German, let me rephrase it in English.

Cisco IOS release 12.2(8)T added the label parameter to the crypto key generate rsa command. You can use this parameter to assign a label to your VPN key, for example

Rtr(config)#crypto key generate rsa label VPN modulus 2048

To use the labeled key to generate your certificate, use the rsakeypair command in the CA-trustpoint configuration mode:

crypto pki trustpoint example.com
 enrollment retry count 100
 enrollment mode ra
 enrollment url http://ca.example.com/certsrv/mscep/mscep.dll
 rsakeypair VPN