安全讨论区中的主题回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat

Cisco switch webui is unaccessed after the ip ssh rsa key is updated

listen-ji — Wed, 24 Dec 2025 05:39:04 GMT

Cisco switch webui is unaccessed after the ip ssh rsa key is updated, any one who knows how to fix? Thanks!

Re: Cisco switch webui is unaccessed after the ip ssh rsa key is updat

balaji.bandi — Wed, 24 Dec 2025 08:46:54 GMT

Try a different browser (if the old browser has cached)

If you still have SSH access, check the Logs for the error you're getting.

try steps below to remove and add, and see if that fixes the issue :

configure terminal
  no ip http secure-server
  no ip http server
  ip http server
  ip http secure-server
end

回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat

ilay — Wed, 24 Dec 2025 10:45:20 GMT

1.确保 domain name已经设置
ip domain name dc.acc
2 生一个新的rsa key,并指定label为http-key
crypto key generate rsa label http-key modulus 2048
3.根据以下步骤生成一个新的自签证书

demo-sw#sh run | b crypto crypto pki trustpoint localtrust # localtrust是自定义的名称，可以根据实际修改 enrollment selfsigned serial-number ip-address 10.17.0.2 subject-name CN=sw01.dc.acc,OU=it dept,O=test organization,c=CN # 根据实际情况调整即可 revocation-check crl rsakeypair http-key ! demo-sw(config)#crypto pki enroll localtrust % Include the router serial number in the subject name? [yes/no]: yes % The IP address in the certificate is 10.17.0.2 Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created

4.应用新的证书，并重启一下 web 服务，然后再尝试访问即可

demo-sw(config)#ip http secure-trustpoint localtrust
demo-sw(config)#no ip http secure-server
demo-sw(config)#ip http secure-server
demo-sw(config)#end
demo-sw#wr

=======

### Steps to Restore Web UI Access by Regenerating HTTPS RSA Key and Self-Signed Certificate

1. Ensure the domain name has been configured:

ip domain name dc.acc

2. Generate a new RSA key and assign it the label "http-key":

crypto key generate rsa label http-key modulus 2048

3. Follow the steps below to generate a new self-signed certificate

demo-sw#sh run | b crypto crypto pki trustpoint localtrust enrollment selfsigned serial-number ip-address 10.17.0.2 subject-name CN=sw01.dc.acc,OU=it dept,O=test organization,c=CN revocation-check crl rsakeypair http-key ! demo-core#sh run | b crypto crypto pki trustpoint localtrust # "localtrust" is a user-defined name and can be modified as needed enrollment selfsigned serial-number ip-address 10.17.0.2 subject-name CN=sw01.dc.acc,OU=IT Dept,O=Test Organization,C=CN # Adjust according to your actual environment revocation-check crl rsakeypair http-key ! demo-sw(config)# crypto pki enroll localtrust % Include the router serial number in the subject name? [yes/no]: yes % The IP address in the certificate is 10.17.0.2 Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created

4. Apply the new certificate, restart the web service, and then try accessing it again:

demo-sw(config)# ip http secure-trustpoint localtrust
demo-sw(config)# no ip http secure-server
demo-sw(config)# ip http secure-server
demo-sw(config)# end
demo-sw# write memory

测试访问：

Re: Cisco switch webui is unaccessed after the ip ssh rsa key is updat

listen-ji — Thu, 25 Dec 2025 01:29:31 GMT

hello, thanks for replying, I use another meathod to resolve, since I generated a new rsa key, but the webui is still using the old rsa key, therefor, should delete the old one firstly.

no crypto pki trustpoint TP-Self-Signed-xxxxxxxxxx
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http authentication

回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat

listen-ji — Thu, 25 Dec 2025 01:29:42 GMT

hello, thanks for replying, I use another meathod to resolve, since I generated a new rsa key, but the webui is still using the old rsa key, therefor, should delete the old one firstly.

no crypto pki trustpoint TP-Self-Signed-xxxxxxxxxx
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http authentication

Re: Cisco switch webui is unaccessed after the ip ssh rsa key is updat

balaji.bandi — Thu, 25 Dec 2025 17:40:33 GMT

This is what I suggested, somehow this line of missed when I was posting. glad all good.

no crypto pki trustpoint TP-self-signed

回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat

Rockyw — Sat, 27 Dec 2025 14:36:17 GMT

This is a common issue on Cisco IOS devices! When you update the ip ssh rsa key, it can sometimes disrupt the WebUI (HTTPS) access, especially if the WebUI was relying on the same RSA key pair to generate its self-signed SSL certificate.

Here's why it happens and how to fix it:

Why it happens:

By default, if you don't explicitly configure a separate SSL certificate for the WebUI (HTTPS), Cisco IOS often uses the same RSA key pair generated for SSH to create a self-signed certificate for the HTTP secure server.

When you run ip ssh rsa key generate, you're generating a new RSA key pair. The existing HTTPS service might not automatically recognize or pick up this new key, or its cached certificate (based on the old key) becomes invalid. This leads to the WebUI failing to establish a secure connection or even refusing connections.

How to Fix It (Most Common Solution):

The simplest and most common fix is to disable and then re-enable the secure HTTP server. This forces the WebUI service to re-initialize and regenerate its self-signed certificate using the newly generated RSA key.

Steps:

Access the switch via Console or SSH: Since the WebUI is down, you'll need to use one of these methods. SSH should still work since you just updated its key.
Enter Global Configuration Mode:

enable configure terminal

3.Disable the Secure HTTP Server:

no ip http secure-server

You might see a message like "% HTTP Server is being stopped."

4.Re-enable the Secure HTTP Server:

ip http secure-server

You might see a message like "% HTTP Server is being started."

5.Verify the HTTP Server Status (Optional but Recommended):

end show ip http server status

Look for output indicating the secure server is enabled and listening on port 443.

6.Save the Configuration:

write memory

7.Test WebUI Access:

Now, try accessing the WebUI from your browser. You might get a browser warning about a self-signed certificate (which is normal for a device using a self-generated cert), but you should be able to proceed and log in.

If the above doesn't work, consider these additional steps:

Clear Browser Cache / Incognito Mode: Sometimes your browser caches old certificate information. Try clearing your browser's cache or using an incognito/private browsing window.
Check for crypto pki configuration (if applicable): If you had explicitly configured a crypto pki trustpoint and ip http secure-server trustpoint <name>, then the issue might be with that specific PKI configuration rather than the generic SSH key reuse. In such a case, you might need to re-enroll or regenerate the certificate for that trustpoint.
- show running-config | include crypto pki
- show crypto pki certificates
Check for HTTP Server Errors in Logs:

show logging

Look for any error messages related to WEBSERVER, HTTP, HTTPS, or CRYPTO after you re-enabled the secure server.

Ensure ip http server is also enabled: While less likely to be the direct cause, ip http server (for HTTP) is often a prerequisite for ip http secure-server (for HTTPS) to function correctly.

show running-config | include ip http server

If ip http server is missing, add it:

configure terminal ip http server end write memory

By disabling and re-enabling ip http secure-server, you're essentially giving the switch a kick to regenerate its internal SSL certificate based on the now-current RSA key, resolving the mismatch.

安全讨论区中的主题 回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat

Cisco switch webui is unaccessed after the ip ssh rsa key is updated

Re: Cisco switch webui is unaccessed after the ip ssh rsa key is updat

回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat

Re: Cisco switch webui is unaccessed after the ip ssh rsa key is updat

回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat

Re: Cisco switch webui is unaccessed after the ip ssh rsa key is updat

回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat

安全讨论区中的主题回复： Cisco switch webui is unaccessed after the ip ssh rsa key is updat