cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14206
Views
20
Helpful
10
Replies

3560CX - Failed to generate persistent self-signed certificate

SamSamy
Level 1
Level 1

I have two new switches C3560CX-12PD-S and C3560CX-12TC-S.  Their Software version 15.2(7)E1 and 15.2(4)E8 respectively.  When enabling the HTTP secure server, the errors returned.

#ip http secure-server

Failed to generate persistent self-signed certificate.
  Secure server will use temporary self-signed certificate.

 

There are nothing to show when entering the commands:

#sh crypto pki cert

#sh crypto pki trustpoints

10 Replies 10

Hello
Try generating a new local rsa key
conf t

crypto key zeroize
crypto key generate rsa label LOCAL general-keys modulus 2048
ip http secure-server


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Unfortunely, it still failed...

 

#crypto key zeroize
% All keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
 
#$generate rsa label LOCAL general-keys modulus 2048
The name for the keys will be: LOCAL
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 4 seconds)
 
#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

Is the image a "k9" image? What is the output of "sh ver"?

 

HTH

The System image file is "flash:/c3560cx-universalk9-mz.152-4.E8/c3560cx-universalk9-mz.152-4.E8.bin"

You have the correct IOS installed.

What is the output of "sh crypto key pubkey-chain rsa"?

HTH

Here they are.
Code Usage IP-Address/VRF Keyring Name
C Signing default cn=Cisco Root CA M1,o=Cisco
C Signing default cn=Cisco Root CA 2048,o=Cisco Systems
C Signing default cn=Cisco Manufacturing CA,o=Cisco Systems
C Signing default ou=Class 3 Public Primary Certification Authority,o=VeriSign, Inc.,c=US
C Signing default cn=Cisco Root CA M2,o=Cisco
C Signing default cn=Cisco Manufacturing CA SHA2,o=Cisco
C Signing default cn=Licensing Root - DEV,o=Cisco
C Signing default cn=Cisco Licensing Root CA,o=Cisco
C Signing default cn=Cisco RXC-R2,o=Cisco Systems,c=US

Looks good. Can you configure a host name and domain name on the switch and than test again?

HTH

Hi Paul,

 

I'm facing the same issue with the IE4000 switch. 

I have used the following commands and check the img file as well.

#sh ip http server stauts

 

HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: sdflash:/ie4000-universalk9-mz.152-7.E2/html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Maximum number of secondary server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: NONE
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: NONE

 

Trust-point is missing.

-------------------------------------------------------------------------------------

NDOT_Omaha_EastB_I-8(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
           Failed to generate persistent self-signed certificate.
           Secure server will use temporary self-signed certificate.

 

------------------------------------------------------------------------------------------------

#sh ver


Switch    Ports      Model                           SW Version               SW Image
------   -----      ----------------     ----------               ----------
* 1          12        IE-4000-8GS4G-E         15.2(7)E2               IE4000-UNIVERSALK9-M

------------------------------------------------------------------------------------

 

#sh crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 15:58:28 CDT Aug 9 2016
end date: 14:58:28 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0

Certificate
Status: Available
Certificate Serial Number (hex): 0740771567306479552F
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IE-4000-8GS4G-E
Serial Number: PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
cn=IE-4000-8GS4G-E
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
Validity Date:
start date: 16:14:55 CST Jan 2 2022
end date: 14:58:26 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 15:28:08 CDT Aug 11 2016
end date: 14:58:27 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI


NDOT_Omaha_EastB_I-80_108th_St_RP_446.26_Cam_142.244.132#h crypto pki trustpoints
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
o=Cisco
cn=High Assurance SUDI CA
Serial Number (hex): 0A6475524CD8617C62
Certificate configured.


Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2099
o=Cisco
Serial Number (hex): 019A335878CE16C1C1
Certificate configured.

 

I have configured hostname and domain as well. 

 

Why this IE4000 is not generating Cert. Can you help me with this?

 

Thank you.

kfh
Level 1
Level 1

So I was actually able to fix this with a combination of removing the current cert, creaing a new cert, new ca, new trustpoint, and binding the cert:

 

no ip http secure-server

 

crypto key zeroize

 

crypto key generate rsa label somename-rsa modulus 2048

 

crypto pki trustpoint somename-ca

                     enrollment selfsigned

                     rsakeypair somename-rsa

 

crypto pki enroll somename-ca

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

 

ip http secure-server

 

When I ran the above command - no errors - was able to get to HTTPS on the device. Just make sure you wr mem if this fixes the issue.

This solution also works on 3850 catalyst switches. Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: