Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7535
Views
30
Helpful
5
Replies

ip http secure-server Failed to generate persistent self-signed cert

mayur.potdar
Level 1
Level 1

‎02-25-2022 12:54 PM

Hello,

I have a brand new IE4000 industrial switch.  I have created  RSA on the switch: - 

 

#ip ssh rsa keypair-name SSHv2-Only
#crypto key generate rsa usage-keys label SSHv2-Only modulus 2048
#ip ssh version 2

 

I'm facing the following error.

NDOT_Omaha_EastB_I-8(config)#ip http secure-server
Failed to generate persistent self-signed certificate.
            Secure server will use temporary self-signed certificate.

 

I have checked followings as well:

NDOT_Omaha_East#sh crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 15:58:28 CDT Aug 9 2016
end date: 14:58:28 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0

Certificate
Status: Available
Certificate Serial Number (hex): 0740771567306479552F
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IE-4000-8GS4G-E
Serial Number: PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
cn=IE-4000-8GS4G-E
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
Validity Date:
start date: 16:14:55 CST Jan 2 2022
end date: 14:58:26 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 15:28:08 CDT Aug 11 2016
end date: 14:58:27 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI


NDOT_Omaha_East#sh crypto pki trustpoints
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
o=Cisco
cn=High Assurance SUDI CA
Serial Number (hex): 0A6475524CD8617C62
Certificate configured.


Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2099
o=Cisco
Serial Number (hex): 019A335878CE16C1C1
Certificate configured.

 

NDOT_Omaha_East#$sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate

Code Usage IP-Address/VRF Keyring Name
C Signing default cn=Cisco Root CA M2,o=Cisco
C Signing default cn=Cisco Manufacturing CA SHA2,o=Cisco
C Signing default cn=Cisco Licensing Root CA,o=Cisco
C Signing default cn=Cisco RXC-R2,o=Cisco Systems,c=US
C Signing default o=Cisco,cn=High Assurance SUDI CA
C Signing default cn=Cisco Root CA 2099,o=Cisco

 

 

Why is not generating a persistent self-signed certificate?

 

Thank you,

Mayur Potdar

Labels:
5 Replies 5

Georg Pauwen
VIP
VIP

‎02-25-2022 02:09 PM

Hello,

 

just to be sure, did you configure a host and domain name ?

mayur.potdar
Level 1
Level 1
In response to Georg Pauwen

‎02-25-2022 02:13 PM

Yes, I did. Note: This switch is not in production yet.

marce1000
Hall of Fame
Hall of Fame

‎02-25-2022 10:33 PM

 

 - Check hints from this thread : https://community.cisco.com/t5/switching/3560cx-failed-to-generate-persistent-self-signed-certificate/td-p/4096726

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

mayur.potdar
Level 1
Level 1
In response to marce1000

‎02-28-2022 06:33 AM

Hi, 

 

I actually followed the same reference page but, I ended up in the same way. No luck yet.

 

Thanks 

mayur.potdar
Level 1
Level 1
In response to marce1000

‎02-28-2022 12:43 PM

Hi, 

I have used the following commands

#sh ip http server stauts

 

HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: sdflash:/ie4000-universalk9-mz.152-7.E2/html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Maximum number of secondary server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: NONE
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: NONE

 

Trust-point is missing.

-------------------------------------------------------------------------------------

NDOT_Omaha_EastB_I-8(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
           Failed to generate persistent self-signed certificate.
           Secure server will use temporary self-signed certificate.

 

------------------------------------------------------------------------------------------------

#sh ver


Switch    Ports      Model                           SW Version               SW Image
------   -----      ----------------     ----------               ----------
* 1          12        IE-4000-8GS4G-E         15.2(7)E2               IE4000-UNIVERSALK9-M

------------------------------------------------------------------------------------

 

#sh crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 15:58:28 CDT Aug 9 2016
end date: 14:58:28 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0

Certificate
Status: Available
Certificate Serial Number (hex): 0740771567306479552F
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IE-4000-8GS4G-E
Serial Number: PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
cn=IE-4000-8GS4G-E
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
Validity Date:
start date: 16:14:55 CST Jan 2 2022
end date: 14:58:26 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 15:28:08 CDT Aug 11 2016
end date: 14:58:27 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI


NDOT_Omaha_EastB_I-80_108th_St_RP_446.26_Cam_142.244.132#h crypto pki trustpoints
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
o=Cisco
cn=High Assurance SUDI CA
Serial Number (hex): 0A6475524CD8617C62
Certificate configured.


Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2099
o=Cisco
Serial Number (hex): 019A335878CE16C1C1
Certificate configured.

 

I have configured hostname and domain as well. 

 

Why this IE4000 is not generating Cert. Can anyone help me?

 

Thank you.

Preview file
42 KB
Customers Also Viewed These Support Documents