Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4406
Views
10
Helpful
6
Replies

How to see crypto certificate in running-config

AllezLom63194
Level 1
Level 1

‎02-14-2020 01:46 AM

Hi the community,

I have 2 ASR1001-X withe the same IOS version and the two have

crypto pki trustpoint TP-self-signed-XXXXXXX

....

and

crypto pki certificate chain TP-self-signed-XXXX.

 

When I do a sh run on the first-one I can see the crypto pki certificate in hexa format but not on the second one.

 

What ise the way to see it ?

 

For exemple:

crypto pki certificate chain TP-self-signed-396455978
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393634 35353937 38301E17 0D313931 32313830 38333135

.......

 

Thank in advance.

Labels:
0 Helpful
6 Replies 6

Muhammad Zahid
Level 1
Level 1

‎02-14-2020 03:33 AM

To display the RSA public keys of your router/firewall, use the show crypto key mypubkey rsa command in privileged EXEC mode.

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

AllezLom63194
Level 1
Level 1
In response to Muhammad Zahid

‎02-14-2020 07:56 AM

Thank you for your response but it is not what I need.

 

In fact this commande show another certificats.

 

I juste want to see the certificat chain like on the first router when I do a show running-config.

 

Regards.

0 Helpful

Muhammad Zahid
Level 1
Level 1

‎02-14-2020 10:06 AM

If "show running-config | begin crypto" doesn't show any self-signed certificate then it mean certificate is not available on that device, try adding a new self-signed certificate and see either it is reflecting in your running configuration.

You can generate self-signed certificate using this setup of commands.


ip domain name ccie.study.com

ip http secure-server

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

AllezLom63194
Level 1
Level 1
In response to Muhammad Zahid

‎02-18-2020 07:30 AM

Hi Muhammad,

 

When I issue the commande I've got a fail message as you can see below

 

RTR-DC-01(config)#ip http secure-server
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.

 

The problem is certainly here. Now I have to to find why.

Regards.

0 Helpful

Muhammad Zahid
Level 1
Level 1
In response to AllezLom63194

‎02-19-2020 04:07 AM

Do you have updated IOS?

There are some know bugs in old IOS; give it a try after update IOS

 

Reference:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful

AllezLom63194
Level 1
Level 1
In response to Muhammad Zahid

‎02-19-2020 08:28 AM

Muhammad,

 

You're maybe right but I have the same router with the same IOS that show me the certificat chain I don't think that the IOS version is my problem cause.

 

I'm in the 16.06.07 IOS version. Tha last version suggested by cisco

 

Regards.

0 Helpful
Customers Also Viewed These Support Documents