ip http secure-server Failed to generate persistent self-signed cert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2022 12:54 PM
Hello,
I have a brand new IE4000 industrial switch. I have created RSA on the switch: -
#ip ssh rsa keypair-name SSHv2-Only
#crypto key generate rsa usage-keys label SSHv2-Only modulus 2048
#ip ssh version 2
I'm facing the following error.
NDOT_Omaha_EastB_I-8(config)#ip http secure-server
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
I have checked followings as well:
NDOT_Omaha_East#sh crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 15:58:28 CDT Aug 9 2016
end date: 14:58:28 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0
Certificate
Status: Available
Certificate Serial Number (hex): 0740771567306479552F
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IE-4000-8GS4G-E
Serial Number: PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
cn=IE-4000-8GS4G-E
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
Validity Date:
start date: 16:14:55 CST Jan 2 2022
end date: 14:58:26 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 15:28:08 CDT Aug 11 2016
end date: 14:58:27 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
NDOT_Omaha_East#sh crypto pki trustpoints
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
o=Cisco
cn=High Assurance SUDI CA
Serial Number (hex): 0A6475524CD8617C62
Certificate configured.
Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2099
o=Cisco
Serial Number (hex): 019A335878CE16C1C1
Certificate configured.
NDOT_Omaha_East#$sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate
Code Usage IP-Address/VRF Keyring Name
C Signing default cn=Cisco Root CA M2,o=Cisco
C Signing default cn=Cisco Manufacturing CA SHA2,o=Cisco
C Signing default cn=Cisco Licensing Root CA,o=Cisco
C Signing default cn=Cisco RXC-R2,o=Cisco Systems,c=US
C Signing default o=Cisco,cn=High Assurance SUDI CA
C Signing default cn=Cisco Root CA 2099,o=Cisco
Why is not generating a persistent self-signed certificate?
Thank you,
Mayur Potdar
- Labels:
-
Network Management

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2022 02:09 PM
Hello,
just to be sure, did you configure a host and domain name ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2022 02:13 PM
Yes, I did. Note: This switch is not in production yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2022 10:33 PM
- Check hints from this thread : https://community.cisco.com/t5/switching/3560cx-failed-to-generate-persistent-self-signed-certificate/td-p/4096726
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2022 06:33 AM
Hi,
I actually followed the same reference page but, I ended up in the same way. No luck yet.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2022 12:43 PM
Hi,
I have used the following commands
#sh ip http server stauts
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: sdflash:/ie4000-universalk9-mz.152-7.E2/html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Maximum number of secondary server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: NONE
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: NONE
Trust-point is missing.
-------------------------------------------------------------------------------------
NDOT_Omaha_EastB_I-8(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
------------------------------------------------------------------------------------------------
#sh ver
Switch Ports Model SW Version SW Image
------ ----- ---------------- ---------- ----------
* 1 12 IE-4000-8GS4G-E 15.2(7)E2 IE4000-UNIVERSALK9-M
------------------------------------------------------------------------------------
#sh crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 15:58:28 CDT Aug 9 2016
end date: 14:58:28 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0
Certificate
Status: Available
Certificate Serial Number (hex): 0740771567306479552F
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IE-4000-8GS4G-E
Serial Number: PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
cn=IE-4000-8GS4G-E
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
Validity Date:
start date: 16:14:55 CST Jan 2 2022
end date: 14:58:26 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 15:28:08 CDT Aug 11 2016
end date: 14:58:27 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
NDOT_Omaha_EastB_I-80_108th_St_RP_446.26_Cam_142.244.132#h crypto pki trustpoints
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
o=Cisco
cn=High Assurance SUDI CA
Serial Number (hex): 0A6475524CD8617C62
Certificate configured.
Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2099
o=Cisco
Serial Number (hex): 019A335878CE16C1C1
Certificate configured.
I have configured hostname and domain as well.
Why this IE4000 is not generating Cert. Can anyone help me?
Thank you.
