Solved: Re: Certificate Problem isr1100

murmucka · ‎05-08-2023

Hallo,

since ios upgraded to

17.11 on C1111

router, i continously receive

syslog

error messages:

RSA keypair HTTPS_SS_CERT_KEYPAIR

is in violation of Cisco security compliance guidelines and will be rejected.

How can i delte and re-generate this keypair? I think its hor https server, or? Thank you.

Key name: HTTPS_SS_CERT_KEYPAIR
Key type: RSA KEYS 768 bits
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data: -removed-

pieterh · ‎05-08-2023

768 bits key is nowadays considered too weak-> create new RSA-keys suitable for this IOS version
Security Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 Switches) - Configuring Secure Socket Layer HTTP [Support] - Cisco

crypto key generate rsa

(Optional) Generates an RSA key pair. RSA key pairs are required before you can obtain a certificate for the switch. RSA key pairs are generated automatically. You can use this command to regenerate the keys, if needed.

when new keys are generated you can issue aditional steps
read the document in the link for additional commands to use certificates

View solution in original post

pieterh · ‎05-08-2023

768 bits key is nowadays considered too weak-> create new RSA-keys suitable for this IOS version
Security Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9300 Switches) - Configuring Secure Socket Layer HTTP [Support] - Cisco

crypto key generate rsa

(Optional) Generates an RSA key pair. RSA key pairs are required before you can obtain a certificate for the switch. RSA key pairs are generated automatically. You can use this command to regenerate the keys, if needed.

when new keys are generated you can issue aditional steps
read the document in the link for additional commands to use certificates

MHM Cisco World · ‎05-08-2023

Key type:

RSA KEYS 768 bits

<<- to weak, change it to 1024