Solved: crypto pki certificates - quick question

Ricky S · ‎11-28-2012

Hey all, just a quick question in regards to the crypto certificate keys. I notice on our DMVPN routers, a large hexadecimal key shows up.

For example:

crypto pki certificate chain TP-self-signed-708137789

certificate self-signed 01

3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 37303831 33373738 39301E17 0D313231 31313331 39323230

375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 38313337

37383930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

B6C79947 3412D002 025566ABF2C7A830 .................

quit

What is this key? Is this associated to the hub and spoke VPN authentication?

Richard Burts · ‎12-01-2012

The self signed certificate may be associated with DMVPN but it can also be associated with other things. For example, if you configure ip http secure-server it will cause a self signed certificate to be generated.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

View solution in original post

Ricky S · ‎11-29-2012

Hey everyone, I just re-read this question and noticed I need to make it a bit more clear.

What I meant to say was that I know this is authentication hash between hub and spoke, but when does this show up on the configuration?

Say I setup a brand new DMPVPN router (spoke) and let it run. I can log onto it remotely and do sh run and never see this hash. But then all of a sudden one day it shows up....why?

Giuseppe Larosa · ‎11-30-2012

Hello Ricky,

the long sequence of hexadecimal digits is actually the certificate itself.

Once the certificate is generated and this happens locally on the router in general (self-signed), it is shown in the configuration.

The new DMVPN spoke router might have used a shared password at the beginning to connect to hub instead of a certificate.

Hope to help

Giuseppe

Ricky S · ‎11-30-2012

Hi Giuseppe, thanks for your reply. So what causes this certificate to generate? Does it just happen randomly?

Giuseppe Larosa · ‎11-30-2012

Hello Ricky,

not randomly for sure, but when the router is configured to generate a certificate I guess

I'm sorry but there are not enough details to tell something more meaningful.

Hope to help

Giuseppe

Richard Burts · ‎12-01-2012

The self signed certificate may be associated with DMVPN but it can also be associated with other things. For example, if you configure ip http secure-server it will cause a self signed certificate to be generated.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

Ricky S · ‎12-02-2012

Thanks Richard. You are correct. I did some tests and certificate only shows up when I have ip http secure-server turned on. Thanks again.

ubsaccount · ‎11-08-2019

Is that a vulnerability if someone finds your old router and the PKI hex is visible.