cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1397
Views
0
Helpful
7
Replies
Highlighted
Beginner

crypto pki certificates - quick question

Hey all, just a quick question in regards to the crypto certificate keys. I notice on our DMVPN routers, a large hexadecimal key shows up.

For example:

                  

crypto pki certificate chain TP-self-signed-708137789

certificate self-signed 01

  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 37303831 33373738 39301E17 0D313231 31313331 39323230

  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 38313337

  37383930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  B6C79947 3412D002 025566ABF2C7A830 .................

quit   

What is this key? Is this associated to the hub and spoke VPN authentication?

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: crypto pki certificates - quick question

The self signed certificate may be associated with DMVPN but it can also be associated with other things. For example, if you configure ip http secure-server it will cause a self signed certificate to be generated.

HTH

Rick

Sent from Cisco Technical Support iPad App

View solution in original post

7 REPLIES 7
Beginner

Re: crypto pki certificates - quick question

Hey everyone, I just re-read this question and noticed I need to make it a bit more clear.

What I meant to say was that I know this is authentication hash between hub and spoke, but when does this show up on the configuration?

Say I setup a brand new DMPVPN router (spoke) and let it run. I can log onto it remotely and do sh run and never see this hash. But then all of a sudden one day it shows up....why?

Hall of Fame Expert

crypto pki certificates - quick question

Hello Ricky,

the long sequence of hexadecimal digits is actually the certificate itself.

Once the certificate is generated and this happens locally on the router in general (self-signed), it is shown in the configuration.

The new DMVPN spoke router might have used a shared password at the beginning to connect to hub instead of a certificate.

Hope to help

Giuseppe

Beginner

crypto pki certificates - quick question

Hi Giuseppe, thanks for your reply. So what causes this certificate to generate? Does it just happen randomly?

Hall of Fame Expert

crypto pki certificates - quick question

Hello Ricky,

not randomly for sure,  but when the router is configured to generate a certificate I guess

I'm sorry but there are not enough details to tell something more meaningful.

Hope to help

Giuseppe

Hall of Fame Master

Re: crypto pki certificates - quick question

The self signed certificate may be associated with DMVPN but it can also be associated with other things. For example, if you configure ip http secure-server it will cause a self signed certificate to be generated.

HTH

Rick

Sent from Cisco Technical Support iPad App

View solution in original post

Beginner

crypto pki certificates - quick question

Thanks Richard. You are correct. I did some tests and certificate only shows up when I have ip http secure-server turned on. Thanks again.

Beginner

Re: crypto pki certificates - quick question

Is that a vulnerability if someone finds your old router and the PKI hex is visible.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here