Command show crypto pki certificates at switch

Leftz · ‎03-03-2022

Hi Please see the below. I am not sure it has so many certificates and its meaning. Anyone can explain it briefly or send link? Thank you!

Note: Some sn already changed due to security reason.

Switch10#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 3C221
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA SHA2
o=Cisco
Subject:
Name: WS-C3650-24PDM-3
Serial Number: PID:WS-C3650-24PDM SN:FDO
cn=WS-C3650-24PDM-380E
serialNumber=PID:WS-C3650-24PDM SN:FD
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca2.crl
Validity Date:
start date: 10:08:15 UTC Oct 27 2017
end date: 10:18:15 UTC Oct 27 2027
Associated Trustpoints: CISCO_IDEVID_SUDI

Certificate
Status: Available
Certificate Serial Number (hex): 2D1
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: WS-C3650-24PDM-380E4
Serial Number: PID:WS-C3650-24PD
cn=WS-C3650-24PDM-380E4D
serialNumber=PID:WS-C3650-24PD
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 10:01:10 UTC Oct 27 2017
end date: 10:11:10 UTC Oct 27 2027
Associated Trustpoints: CISCO_IDEVID_SU

CA Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
Subject:
cn=Cisco Manufacturing CA SHA2
o=Cisco
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crcam2.crl
Validity Date:
start date: 08:50:58 UTC Nov 12 2012
end date: 08:00:17 UTC Nov 12 2037
Associated Trustpoints: CISCO_IDEVID_SUDI Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
Subject:
cn=Cisco Root CA M2
o=Cisco
Validity Date:
start date: 08:00:18 UTC Nov 12 2012
end date: 08:00:18 UTC Nov 12 2037
Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 6A696
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 20
o=Cisco Systems
Subject:
cn=Cisco Manufacturing CA
o=Cisco Systems
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 17:16:01 UTC Jun 10 2005
end date: 15:25:42 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI_LEGACY Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 5FF
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 204
o=Cisco Systems
Subject:
cn=Cisco Root CA 204
o=Cisco Systems
Validity Date:
start date: 15:17:12 UTC May 14 2004
end date: 15:25:42 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI_LEGACY0 Trustpool

Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2334
Subject:
Name: IOS-Self-Signed-Certificate-2334
cn=IOS-Self-Signed-Certificate-23343
Validity Date:
start date: 11:39:38 UTC Nov 9 2018
end date: 19:00:00 UTC Dec 31 2019
Associated Trustpoints: TP-self-signed-233438
Storage: nvram:IOS-Self-Sig#1.cer

Rob Ingram · ‎03-03-2022

@Leftz already answered this question in your other post https://community.cisco.com/t5/network-security/tenable-message-report-some-vulnerability-at-some-switch/m-p/4563627

Search the config for the associated trustpoint name to determine what is referencing the trustpoint. Probably the Web gui and smart call home cert.

MHM Cisco World · ‎03-03-2022

https://www.cisco.com/c/en/us/support/docs/field-notices/722/fn72250.html

please find above link.