2960x switches update key length

DrawnTogether · ‎07-12-2024

I had a vulnerable scan done and our switches are showing a diffe 1024 key that needs to be replaced/updated. I am fairly new to cisco and unsure what commands I need to run. I tried

enable
configure terminal
crypto key zeroize rsa
crypto key generate rsa modulus 2048
ip http secure-server
end
write memory

But still returning the same results when I run a nmap scan on port 443. I tried to generate a new key, but I somehow broken https access as it no longer loads now. I believe I created two keys on accident, and I tried to clear them, but I get this error.

hostname(config)#crypto key zeroize rsa
% All keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
hostname(config)#no crypto pki trustpoint TP-self-signed-269872896
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

hostname(config)#crypto key generate rsa label https-key modulus 2048
The name for the keys will be: https-key

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 6 seconds)

hostname(config)#crypto pki trustpoint myTrustpoint
hostname(ca-trustpoint)#enrollment selfsigned
hostname(ca-trustpoint)#subject-name CN=hostname.domain.local
hostname(ca-trustpoint)#rsakeypair https-key
hostname(ca-trustpoint)#crypto pki enroll myTrustpoint
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL

I'm not sure what to do next.

marce1000 · ‎07-12-2024

- Look into https://community.cisco.com/t5/switching/crypto-certificates/m-p/1034597#M71176
and or enable 'simple http' temporarily as a workaround.
And or use the CLI only for configuration tasks ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

DrawnTogether · ‎07-14-2024

for now, http is enabled if we need to get into the switch and CLI works fine. What I want to do is update the key length from 1024 to 2048 to mitigate a nessus scan that was done. I removed the trust point and recreated it and I go thru all the steps but once I get enrolling the cert it fails.

configure terminal
no ip http secure-server
no crypto pki trustpoint TP-self-signed-2026679424
crypto key zeroize rsa
exit

configure terminal
crypto key generate rsa label TP-self-signed-269872896 modulus 2048
exit

configure terminal
crypto pki trustpoint TP-self-signed-269872896
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-269872896
revocation-check none
rsakeypair TP-self-signed-269872896
exit

crypto pki enroll TP-self-signed-269872896
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL

I'm guessing I am out of date; I know the software is end of life but is that really the cause?

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960X-48LPS-L 15.2(2)E7 C2960X-UNIVERSALK9-M

marce1000 · ‎07-14-2024

>...I'm guessing I am out of date; I know the software is end of life but is that really the cause?
- I would consider that being mandatory for such issues = use the latest advisory software version available for the
particular model.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '