cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18677
Views
24
Helpful
10
Replies

3560CX - Failed to generate persistent self-signed certificate

SamSamy
Level 1
Level 1

I have two new switches C3560CX-12PD-S and C3560CX-12TC-S.  Their Software version 15.2(7)E1 and 15.2(4)E8 respectively.  When enabling the HTTP secure server, the errors returned.

#ip http secure-server

Failed to generate persistent self-signed certificate.
  Secure server will use temporary self-signed certificate.

 

There are nothing to show when entering the commands:

#sh crypto pki cert

#sh crypto pki trustpoints

10 Replies 10

Hello
Try generating a new local rsa key
conf t

crypto key zeroize
crypto key generate rsa label LOCAL general-keys modulus 2048
ip http secure-server


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Unfortunely, it still failed...

 

#crypto key zeroize
% All keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
 
#$generate rsa label LOCAL general-keys modulus 2048
The name for the keys will be: LOCAL
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 4 seconds)
 
#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

Is the image a "k9" image? What is the output of "sh ver"?

 

HTH

The System image file is "flash:/c3560cx-universalk9-mz.152-4.E8/c3560cx-universalk9-mz.152-4.E8.bin"

You have the correct IOS installed.

What is the output of "sh crypto key pubkey-chain rsa"?

HTH

Here they are.
Code Usage IP-Address/VRF Keyring Name
C Signing default cn=Cisco Root CA M1,o=Cisco
C Signing default cn=Cisco Root CA 2048,o=Cisco Systems
C Signing default cn=Cisco Manufacturing CA,o=Cisco Systems
C Signing default ou=Class 3 Public Primary Certification Authority,o=VeriSign, Inc.,c=US
C Signing default cn=Cisco Root CA M2,o=Cisco
C Signing default cn=Cisco Manufacturing CA SHA2,o=Cisco
C Signing default cn=Licensing Root - DEV,o=Cisco
C Signing default cn=Cisco Licensing Root CA,o=Cisco
C Signing default cn=Cisco RXC-R2,o=Cisco Systems,c=US

Looks good. Can you configure a host name and domain name on the switch and than test again?

HTH

Hi Paul,

 

I'm facing the same issue with the IE4000 switch. 

I have used the following commands and check the img file as well.

#sh ip http server stauts

 

HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: sdflash:/ie4000-universalk9-mz.152-7.E2/html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Maximum number of secondary server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: NONE
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: NONE

 

Trust-point is missing.

-------------------------------------------------------------------------------------

NDOT_Omaha_EastB_I-8(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
           Failed to generate persistent self-signed certificate.
           Secure server will use temporary self-signed certificate.

 

------------------------------------------------------------------------------------------------

#sh ver


Switch    Ports      Model                           SW Version               SW Image
------   -----      ----------------     ----------               ----------
* 1          12        IE-4000-8GS4G-E         15.2(7)E2               IE4000-UNIVERSALK9-M

------------------------------------------------------------------------------------

 

#sh crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 15:58:28 CDT Aug 9 2016
end date: 14:58:28 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0

Certificate
Status: Available
Certificate Serial Number (hex): 0740771567306479552F
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IE-4000-8GS4G-E
Serial Number: PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
cn=IE-4000-8GS4G-E
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
Validity Date:
start date: 16:14:55 CST Jan 2 2022
end date: 14:58:26 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 15:28:08 CDT Aug 11 2016
end date: 14:58:27 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI


NDOT_Omaha_EastB_I-80_108th_St_RP_446.26_Cam_142.244.132#h crypto pki trustpoints
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
o=Cisco
cn=High Assurance SUDI CA
Serial Number (hex): 0A6475524CD8617C62
Certificate configured.


Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2099
o=Cisco
Serial Number (hex): 019A335878CE16C1C1
Certificate configured.

 

I have configured hostname and domain as well. 

 

Why this IE4000 is not generating Cert. Can you help me with this?

 

Thank you.

kfh
Level 1
Level 1

So I was actually able to fix this with a combination of removing the current cert, creaing a new cert, new ca, new trustpoint, and binding the cert:

 

no ip http secure-server

 

crypto key zeroize

 

crypto key generate rsa label somename-rsa modulus 2048

 

crypto pki trustpoint somename-ca

                     enrollment selfsigned

                     rsakeypair somename-rsa

 

crypto pki enroll somename-ca

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

 

ip http secure-server

 

When I ran the above command - no errors - was able to get to HTTPS on the device. Just make sure you wr mem if this fixes the issue.

This solution also works on 3850 catalyst switches. Thanks!