Enable SSH Without IP Domain-name, just enable IP HTTP secure-server

Hadi222 · ‎01-01-2024

Dear Collegues

I've Cisco Catalyst 2960-X-Series

I wanna to enable SSH just doing enable IP HTTP secure-server ,
in case crypto pki trustpoint already generated using enable IP HTTP secure-server , but actually SSH still disable
how to enable SSH using IP HTTP Secure-Server or how to regenerate crypto pki trustpoint using IP HTTP secure-server ?

Hadi222 · ‎01-01-2024

error when i try renew crypto PKI trustpoint

"Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate"

Richard Burts · ‎01-01-2024

There are perhaps several parts of the issue that you ask about. I think that probably the most important one is related to the title of this post "without ip domain-name". Why do you want to not use ip domain-name? SSH access and secure server access require generation of an encryption key. And by default generating a permanent (persistent) key requires having domain name configured. If domain name is not configured then a temporary key is generated (and a temporary self-signed certificate). If you want a permanent self signed certificate than I suggest that you need to configure domain name.

HTH

Rick

MHM Cisco World · ‎01-01-2024

enable SSH using IP HTTP Secure-Server or how to regenerate crypto pki trustpoint using IP HTTP secure-server ?

first the SSH not need trust point, the SSH need to generate public key after you config domain

second there is no relate between SSH and http at all.

MHM

Hadi222 · ‎01-01-2024

dear all
the switch no need config domain
just enable ip http secure-server and then generate crypto pki trustpoint
my switches no need config domain

actually, crypto pki trustpoint already existing
but status SSH still disable

how to enable SSH without config domain ?

MHM Cisco World · ‎01-01-2024

https://bluenetsec.com/crypto-keypair-without-domain-name/

Check this

MHM

Richard Burts · ‎01-02-2024

Perhaps there is some confusion about what is going on, and we need some clarification. You mention SSH and mention IP HTTP secure-server as if they are the same thing. They are not the same. IP HTTP secure-server uses a web browser (not tcp port 22) encrypted session to manage the device. SSH connects to a vty port and uses an encrypted session to do things that might include managing the device.

IP HTTP secure-server does not require an RSA generated key. So you can manage the device without needing domain name. SSH does require an RSA generated key, and generating that key requires that domain name be configured. So to be able to use SSH you do need a domain name.

So which is important to you? Is it really using SSH to access the device or is it that you want an encrypted session to manage the device?

HTH

Rick

paul driver · ‎01-03-2024

Hello
You can enable ssh without configuring a domain name by locally specifying a label when generating the crypto rsa key

example :
no ip domain-name
crypto key generate rsa label STAN general-keys modulus xxxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul