已解决: Cisco switch webui is unaccessed after the ip ssh rsa key is updated

listen-ji · ‎12-23-2025

Cisco switch webui is unaccessed after the ip ssh rsa key is updated, any one who knows how to fix? Thanks!

ilay · ‎12-24-2025

1.确保 domain name已经设置
ip domain name dc.acc
2 生一个新的rsa key,并指定label为http-key
crypto key generate rsa label http-key modulus 2048
3.根据以下步骤生成一个新的自签证书

demo-sw#sh run | b crypto
crypto pki trustpoint localtrust # localtrust是自定义的名称，可以根据实际修改
enrollment selfsigned
serial-number
ip-address 10.17.0.2
subject-name CN=sw01.dc.acc,OU=it dept,O=test organization,c=CN # 根据实际情况调整即可
revocation-check crl
rsakeypair http-key
!
demo-sw(config)#crypto pki enroll localtrust
% Include the router serial number in the subject name? [yes/no]: yes
% The IP address in the certificate is 10.17.0.2

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

4.应用新的证书，并重启一下 web 服务，然后再尝试访问即可

demo-sw(config)#ip http secure-trustpoint localtrust
demo-sw(config)#no ip http secure-server
demo-sw(config)#ip http secure-server
demo-sw(config)#end
demo-sw#wr

=======

### Steps to Restore Web UI Access by Regenerating HTTPS RSA Key and Self-Signed Certificate

1. Ensure the domain name has been configured:

ip domain name dc.acc

2. Generate a new RSA key and assign it the label "http-key":

crypto key generate rsa label http-key modulus 2048

3. Follow the steps below to generate a new self-signed certificate

demo-sw#sh run | b crypto
crypto pki trustpoint localtrust
 enrollment selfsigned
 serial-number
 ip-address 10.17.0.2
 subject-name CN=sw01.dc.acc,OU=it dept,O=test organization,c=CN
 revocation-check crl
 rsakeypair http-key
!
demo-core#sh run | b crypto
crypto pki trustpoint localtrust # "localtrust" is a user-defined name and can be modified as needed
enrollment selfsigned
serial-number
ip-address 10.17.0.2
subject-name CN=sw01.dc.acc,OU=IT Dept,O=Test Organization,C=CN # Adjust according to your actual environment
revocation-check crl
rsakeypair http-key
!
demo-sw(config)# crypto pki enroll localtrust
% Include the router serial number in the subject name? [yes/no]: yes
% The IP address in the certificate is 10.17.0.2

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

4. Apply the new certificate, restart the web service, and then try accessing it again:

demo-sw(config)# ip http secure-trustpoint localtrust
demo-sw(config)# no ip http secure-server
demo-sw(config)# ip http secure-server
demo-sw(config)# end
demo-sw# write memory

测试访问：

在原帖中查看解决方案

balaji.bandi · ‎12-24-2025

Try a different browser (if the old browser has cached)

If you still have SSH access, check the Logs for the error you're getting.

try steps below to remove and add, and see if that fixes the issue :

configure terminal
  no ip http secure-server
  no ip http server
  ip http server
  ip http secure-server
end

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

listen-ji · ‎12-24-2025

hello, thanks for replying, I use another meathod to resolve, since I generated a new rsa key, but the webui is still using the old rsa key, therefor, should delete the old one firstly.

no crypto pki trustpoint TP-Self-Signed-xxxxxxxxxx
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http authentication

balaji.bandi · ‎12-25-2025

This is what I suggested, somehow this line of missed when I was posting. glad all good.

no crypto pki trustpoint TP-self-signed

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ilay · ‎12-24-2025

1.确保 domain name已经设置
ip domain name dc.acc
2 生一个新的rsa key,并指定label为http-key
crypto key generate rsa label http-key modulus 2048
3.根据以下步骤生成一个新的自签证书

demo-sw#sh run | b crypto
crypto pki trustpoint localtrust # localtrust是自定义的名称，可以根据实际修改
enrollment selfsigned
serial-number
ip-address 10.17.0.2
subject-name CN=sw01.dc.acc,OU=it dept,O=test organization,c=CN # 根据实际情况调整即可
revocation-check crl
rsakeypair http-key
!
demo-sw(config)#crypto pki enroll localtrust
% Include the router serial number in the subject name? [yes/no]: yes
% The IP address in the certificate is 10.17.0.2

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

4.应用新的证书，并重启一下 web 服务，然后再尝试访问即可

demo-sw(config)#ip http secure-trustpoint localtrust
demo-sw(config)#no ip http secure-server
demo-sw(config)#ip http secure-server
demo-sw(config)#end
demo-sw#wr

=======

### Steps to Restore Web UI Access by Regenerating HTTPS RSA Key and Self-Signed Certificate

1. Ensure the domain name has been configured:

ip domain name dc.acc

2. Generate a new RSA key and assign it the label "http-key":

crypto key generate rsa label http-key modulus 2048

3. Follow the steps below to generate a new self-signed certificate

demo-sw#sh run | b crypto
crypto pki trustpoint localtrust
 enrollment selfsigned
 serial-number
 ip-address 10.17.0.2
 subject-name CN=sw01.dc.acc,OU=it dept,O=test organization,c=CN
 revocation-check crl
 rsakeypair http-key
!
demo-core#sh run | b crypto
crypto pki trustpoint localtrust # "localtrust" is a user-defined name and can be modified as needed
enrollment selfsigned
serial-number
ip-address 10.17.0.2
subject-name CN=sw01.dc.acc,OU=IT Dept,O=Test Organization,C=CN # Adjust according to your actual environment
revocation-check crl
rsakeypair http-key
!
demo-sw(config)# crypto pki enroll localtrust
% Include the router serial number in the subject name? [yes/no]: yes
% The IP address in the certificate is 10.17.0.2

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

4. Apply the new certificate, restart the web service, and then try accessing it again:

demo-sw(config)# ip http secure-trustpoint localtrust
demo-sw(config)# no ip http secure-server
demo-sw(config)# ip http secure-server
demo-sw(config)# end
demo-sw# write memory

测试访问：

listen-ji · ‎12-24-2025

hello, thanks for replying, I use another meathod to resolve, since I generated a new rsa key, but the webui is still using the old rsa key, therefor, should delete the old one firstly.

no crypto pki trustpoint TP-Self-Signed-xxxxxxxxxx
no ip http server
no ip http secure-server
ip http server
ip http secure-server
ip http authentication

Rockyw · ‎12-27-2025

This is a common issue on Cisco IOS devices! When you update the ip ssh rsa key, it can sometimes disrupt the WebUI (HTTPS) access, especially if the WebUI was relying on the same RSA key pair to generate its self-signed SSL certificate.

Here's why it happens and how to fix it:

Why it happens:

By default, if you don't explicitly configure a separate SSL certificate for the WebUI (HTTPS), Cisco IOS often uses the same RSA key pair generated for SSH to create a self-signed certificate for the HTTP secure server.

When you run ip ssh rsa key generate, you're generating a new RSA key pair. The existing HTTPS service might not automatically recognize or pick up this new key, or its cached certificate (based on the old key) becomes invalid. This leads to the WebUI failing to establish a secure connection or even refusing connections.

How to Fix It (Most Common Solution):

The simplest and most common fix is to disable and then re-enable the secure HTTP server. This forces the WebUI service to re-initialize and regenerate its self-signed certificate using the newly generated RSA key.

Steps:

Access the switch via Console or SSH: Since the WebUI is down, you'll need to use one of these methods. SSH should still work since you just updated its key.
Enter Global Configuration Mode:

enable
configure terminal

3.Disable the Secure HTTP Server:

no ip http secure-server

You might see a message like "% HTTP Server is being stopped."

4.Re-enable the Secure HTTP Server:

ip http secure-server

You might see a message like "% HTTP Server is being started."

5.Verify the HTTP Server Status (Optional but Recommended):

end
show ip http server status

Look for output indicating the secure server is enabled and listening on port 443.

6.Save the Configuration:

write memory

7.Test WebUI Access:

Now, try accessing the WebUI from your browser. You might get a browser warning about a self-signed certificate (which is normal for a device using a self-generated cert), but you should be able to proceed and log in.

If the above doesn't work, consider these additional steps:

Clear Browser Cache / Incognito Mode: Sometimes your browser caches old certificate information. Try clearing your browser's cache or using an incognito/private browsing window.
Check for crypto pki configuration (if applicable): If you had explicitly configured a crypto pki trustpoint and ip http secure-server trustpoint <name>, then the issue might be with that specific PKI configuration rather than the generic SSH key reuse. In such a case, you might need to re-enroll or regenerate the certificate for that trustpoint.
- show running-config | include crypto pki
- show crypto pki certificates
Check for HTTP Server Errors in Logs:

show logging

Look for any error messages related to WEBSERVER, HTTP, HTTPS, or CRYPTO after you re-enabled the secure server.

Ensure ip http server is also enabled: While less likely to be the direct cause, ip http server (for HTTP) is often a prerequisite for ip http secure-server (for HTTPS) to function correctly.

show running-config | include ip http server

If ip http server is missing, add it:

configure terminal
ip http server
end
write memory

By disabling and re-enabling ip http secure-server, you're essentially giving the switch a kick to regenerate its internal SSL certificate based on the now-current RSA key, resolving the mismatch.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !