This site can’t provide a secure connection

Hi Balaji,

The doc shared mentioned to configure the SSH with the new key-pair in many different ways, I have few questions regarding changing the config
1:- Will I loose access and will need a console access to configure the ssh?

2:- Do you want me to configure like this

1. Configure the hostname command.  

Hostname Switch1  

1. Set up the DNS domain.  

IP domain-name example.com  

1. Generate the SSH key.  

ip ssh version 2  

crypto key generate rsa label ssh-key modulus 2048  

ip ssh rsa keypair-name ssh-key  

ip ssh time-out 60  

ip ssh authentication-retries 2  

1. Enable vty SSH transport support.  

line vty 0 4  

transport input ssh  

show crypto key mypubkey rsa  will show the new key-pair "ssh-key" name 

3:-Currently the switch is configured as per below

sw1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 60 secs; Authentication retries: 5
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): (x.x.x.x.x.x.x.different-name)
Modulus Size : 2048 bits
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwLv/M32haGCreucKOTlr4B9M3WEry9xnJ7KH2IKoC
R/tNa1RmwSYXbJ+EZnwx/JlIcfemO3ppdAa2KgTtm288LPas4hAYPD3OSoEpMHeWeVUmj+bavBC3Gk0I
r31DGucMHidMaaRLS4b3YcPPyR9MgpcLvclfuOth83p9g4pc/azdsS8NEUoeRKVCe7/xZCjDbPexhO+v
7tTx0R7N+1BxhvUJIMT+Y+3f5sEI7IP9XHfCrvKMgiVAzQgks1DxC9RHo8U0Tj+vd1F0Uj8kQRdPBllv
z5rDqgFY5NMjKHqTJMKhGDBbCPEMz9aYR+fskNCwWMMjvYOk7RjanCYTYNU/
sw1#

cbvh-lan-sw1#show crypto key mypubkey rsa
% Key pair was generated at: 20:33:48 BST Jun 20 2022
Key name: x.x.x.x.x.x.x.
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00B02EFF CCDF685A 182ADEB9 C28E4E5A F807D337 584AF2F7 19C9ECA1 F620AA02
47FB4D6B 5466C126 176C9F84 667C31FC 994871F7 A63B7A69 7406B62A 04ED9B6F
3C2CF6AC E210183C 3DCE4A81 29307796 7955268F E6DABC10 B71A4D08 AF7D431A
E70C1E27 4C69A44B 4B86F761 C3CFC91F 4C82970B BDC95FB8 EB61F37A 7D838A5C
FDACDDB1 2F0D114A 1E44A542 7BBFF164 28C36CF7 B184EFAF EED4F1D1 1ECDFB50
7186F509 20C4FE63 EDDFE6C1 08EC83FD 5C77C2AE F28C8225 40CD0824 B350F10B
D447A3C5 344E3FAF 77517452 3F244117 4F06596F CF9AC3AA 0158E4D3 23287A93
24C2A118 305B08F1 0CCFD698 47E7EC90 D0B058C3 23BD83A4 ED18DA9C 261360D5
3F020301 0001
% Key pair was generated at: 15:55:39 BST Jul 1 2022
Key name: SLA-KeyPair2
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00B3A583 BEC9FA5C DC8A44F0 C8B1943D A36138A4 F7CBBF84 1F69F4C8 6ACE7817
46A1C15F F7B59D6E D7DEB31A 9F3F7BFF 0EADF30B 2BC14CBB 44B0369A 30B96AC1
A35A97CE 7D217E80 66DCEC2C FF4DF57A D0E57829 016DBF43 6A92A27A D06CD60C
2A5FE7B6 DA09F328 678EC132 641E5A1D 6351CF76 875F2DE6 EE4D5B2D BF32AFDB
DF470E4B DBB6555B A84B6D52 C0B1A9FC 20CB11E7 C37E28EE DFD58401 73176E1B
E1904D50 33012265 3F6F6DF4 C85C6D6D 6B4A1CDA 8CB8F97B DC44BAEA 5D5A5063
448A2968 2B338E98 04E2D8F3 1286B896 F56D80DA E91F45D9 E592864A 7BBB6758
B526157D 01C8795D 24D9583D 56B596A2 82004F68 BCDD8728 315214A3 D2EFF64A
49020301 0001
% Key pair was generated at: 15:56:23 BST Jul 1 2022
Key name: SLA-KeyPair
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00970C67 709A3060 E041E566 F77A72D9 08368178 44C1C3B2 81F65381 44C65B5D
9CA88939 C8AB8471 6D97A117 D1521FAA 50BB240F DF9F142A 8C9FD6F4 7B14AF34
4D1A835D D0DD841A 45D8A724 ACD0D8C5 F9D08DA0 554B8B31 166045A3 069CF905
06DC91BE F006FAF1 48B1B9D9 5CA7A1B5 820360E7 2ED9BAFC 0ACB05F7 CC055E5E
7CB22B85 8D4A7B04 68B5127D 18654110 BB6E074C 413A3300 4A221B02 C2A8CC58
2529C080 A2E3CAAC 32A02B36 4C37E5F5 C5F829B4 5BF16E24 E17D8D53 02CE9627
186E6B0C E6FFECC3 C99DC265 986CD8D3 2A2EEE43 C8565850 1A7A90E1 FDFB48BF
D4BF9254 A0CB5F4F 8118E119 FAD89217 E03413E4 72A688D2 B54BAAD9 B1C22AF5
19020301 0001
% Key pair was generated at: 17:48:40 BST May 28 2024
Key name: CISCO_IDEVID_SUDI
Key type: RSA KEYS
On Cryptographic Device: act2 (label=act2, key index=24)
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00CA41BA 0C493430 E73352DD D84A26BB 77735342 0708CFF5 2E23E38F 5164ECBD
8EBE9AD9 53A3C21E 79746ED3 E625C60E 62B8F498 1031978B 7C5EA71E 502AD853
63FCCC2B 821D9A3D 5A4CD7B3 2BDCDE4B EEAD27CB D2555AF5 EB480DE8 746B0DDF
F1DD9E71 F7080B82 CC47142D 8132B941 EA2C5753 68C4A1EB 666F7A39 0C832C40
7F6306F1 D92A195A C8FA0B25 B9F6A95F 925F48B5 F6D45CAC CFBFCC9F 28F27F01
76DBECA8 4EFA7B08 05663935 7008A418 50B4C78B E92ACE70 12BC2EFE 26D2359C
69713CC1 E611A55D D4F6BA5F 55500C8F 93D11299 58721CE8 273C0DBF AC90633D
25EB5D38 94C2F7E3 C84E5043 649FBAD4 5F9045A3 BB014EC1 70497F89 2564BBA9
85020301 0001
% Key pair was generated at: 17:48:43 BST May 28 2024
Key name: x.x.x.x.x..x.x.x.x.
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
30820132 300D0609 2A864886 F70D0101 01050003 82011F00 3082011A 02820111
00DAFD1D 173847BD 276B79BA 35BE4253 E51BFEBF 499C6C1A BE54A0E4 E498C5F5
20CC4740 03BD4461 51B576E2 DF4BB1A1 AB4056F0 2570C708 C8BB17DF 09AD9D0A
EDCBE1D0 3D5D56D4 5D4585BF 410B1B98 CB3D0E80 6219F64C 1CF3ECE6 0DCB9A3D
F6173900 17A871B1 4097ED17 C816291F C2728F18 5AF99979 F42EA41E 28CF233A
44374A82 F01A0826 3944C21E 6FCF8CF7 0413F033 EDCE1B92 20FF27C0 6C6137FF
6B121C23 D3F45FBC BCE3CFD3 6D647763 D064E41E 1861A4A2 90897701 10766232
6B418E10 BE44C73A A55A99E5 A2970FD3 D7E31B93 47F927AE 9D954558 C62522DA
B486A0B3 DBF9418A FBB5585C AD5CC427 77A714CF EC86CEC0 75D4CF5D 602C8EE5
77A1869B 6BD931BD 39710EE2 C7EF6C2C 11020301 0001
cbvh-lan-sw1#

Many thanks

Faisal

Hi, LG,

Below is the output as per your request:

sw1#show run | sec crypto
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
crypto pki trustpoint TP-self-signed-3023128935
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3023128935
revocation-check none
rsakeypair TP-self-signed-3023128935
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-3023128935
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303233 31323839 3335301E 170D3232 30363230 31373132
34355A17 0D333230 36313931 37313234 355A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30323331
32383933 35308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100E7C9 D0CB3627 F7E780F3 34B11F85 E4CB2B15 81654C19 D6EF7E83
F550DA87 8F8D7DC8 4825B0E4 F09F6066 B55BA62F B1EF3261 3C42ACF7 8A41354D
98C0756F 28A701AE F5E08C5F 249414F5 CC6677C6 F689E303 E29D7BAB 22375197
A2A921A8 F43280EC 76534699 2A43BE1F D3A5159F 93193C5C CA137D2B 4017B9C3
52E2FFE8 417BCADE E42DFC7A 4CCA934D E24963D6 3FA31E40 F381AA6A E9A06647
C61EEAD1 C018A41A 48337792 6DF3145F A387F998 F9F4CC40 6FE8807A C7436842
9A950898 62A0F547 6BC5F17C 3568657C 115BD0DC 995E2050 3161DC2B AC60E3DC
C2C2A5E7 9A86AA9D 3D0364BE 4A2CAED1 2D49CAAA 798992DD C6EF6312 939BE1B4
6BCAE445 252D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 14874B83 2FA15FC8 27F0D9E0 B8B098BD 6CF21842
3E301D06 03551D0E 04160414 874B832F A15FC827 F0D9E0B8 B098BD6C F218423E
300D0609 2A864886 F70D0101 05050003 82010100 3C116068 1F3AAB91 63288D28
40DAB34A 391DFE92 2B66AEE1 696440C8 8F60A913 98B1A310 75EA40C6 A87C5291
1A5EBA71 6FB919CA 3418082D A127C20D 88EC6491 E95386E7 A4B7DE37 36CECB9C
09F231D2 3929906B 0B3BD64C 333D2A83 92EC1C90 564F40E4 8C445286 1AED2820
5A504641 81EE7C2C A18367D1 286B4CB9 F2A50F95 22BA65D8 7CCB08B5 423FE691
FD271F26 19005404 EBD6C528 ED2EEE43 AD6BC2D1 CF07C806 F2C6D2A3 C231B31D
D4AB8BED DBF75E57 8520AC8F 2CC42461 34846AA0 3ADC2B5E 19CA1E9C D8379E57
2508FB4B AE0C1C99 C9E0E1B4 A1792083 27829B2A D9731AE8 079B2AF9 4F99BEE0
0E89DBA9 4E74E558 09560E5B 9487FCD4 239C7528
quit
crypto engine compliance shield disable
sw1#

Many thanks

I see from the command show ip http server secure status that the configured trustpoint for your HTTP server:

HTTP secure server trustpoint: TP-self-signed-1505588799

is set to a different trustpoint then you have in your configuration.

Can you issue the command in global config mode ip http secure-trustpoint TP-self-signed-3023128935 in order for your HTTP configured truspoint to be the same as the one configured on the switch.

Hi LG,

I have configured as per your request but the issue still persists

sw1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: TP-self-signed-3023128935
HTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL
sw1#

Can you also add the command in global config mode

ip http tls-version TLSv1.3

and check again.

Hi LG,

There is no option to configure the TLS Version 1.3

sw1(config)#ip http tls-version TLSv?
TLSv1.0 TLSv1.1 TLSv1.2

I'm glad you were able to resolve the issue. That was my next step to remove it if you configured SSH as I mentioned in my steps.