06-03-2020 02:29 AM
I have two new switches C3560CX-12PD-S and C3560CX-12TC-S. Their Software version 15.2(7)E1 and 15.2(4)E8 respectively. When enabling the HTTP secure server, the errors returned.
#ip http secure-server
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
There are nothing to show when entering the commands:
#sh crypto pki cert
#sh crypto pki trustpoints
06-03-2020 03:01 AM - edited 06-03-2020 03:02 AM
Hello
Try generating a new local rsa key
conf t
crypto key zeroize
crypto key generate rsa label LOCAL general-keys modulus 2048
ip http secure-server
06-03-2020 07:06 AM
Unfortunely, it still failed...
06-03-2020 08:00 AM
Is the image a "k9" image? What is the output of "sh ver"?
HTH
06-03-2020 11:43 AM
06-03-2020 12:52 PM
You have the correct IOS installed.
What is the output of "sh crypto key pubkey-chain rsa"?
HTH
06-03-2020 01:10 PM
06-03-2020 01:16 PM
Looks good. Can you configure a host name and domain name on the switch and than test again?
HTH
02-28-2022 12:46 PM - edited 02-28-2022 12:47 PM
Hi Paul,
I'm facing the same issue with the IE4000 switch.
I have used the following commands and check the img file as well.
#sh ip http server stauts
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: sdflash:/ie4000-universalk9-mz.152-7.E2/html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Maximum number of secondary server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: NONE
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: NONE
Trust-point is missing.
-------------------------------------------------------------------------------------
NDOT_Omaha_EastB_I-8(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
------------------------------------------------------------------------------------------------
#sh ver
Switch Ports Model SW Version SW Image
------ ----- ---------------- ---------- ----------
* 1 12 IE-4000-8GS4G-E 15.2(7)E2 IE4000-UNIVERSALK9-M
------------------------------------------------------------------------------------
#sh crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 15:58:28 CDT Aug 9 2016
end date: 14:58:28 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0
Certificate
Status: Available
Certificate Serial Number (hex): 0740771567306479552F
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IE-4000-8GS4G-E
Serial Number: PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
cn=IE-4000-8GS4G-E
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
Validity Date:
start date: 16:14:55 CST Jan 2 2022
end date: 14:58:26 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 15:28:08 CDT Aug 11 2016
end date: 14:58:27 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
NDOT_Omaha_EastB_I-80_108th_St_RP_446.26_Cam_142.244.132#h crypto pki trustpoints
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
o=Cisco
cn=High Assurance SUDI CA
Serial Number (hex): 0A6475524CD8617C62
Certificate configured.
Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2099
o=Cisco
Serial Number (hex): 019A335878CE16C1C1
Certificate configured.
I have configured hostname and domain as well.
Why this IE4000 is not generating Cert. Can you help me with this?
Thank you.
06-29-2022 05:27 AM
So I was actually able to fix this with a combination of removing the current cert, creaing a new cert, new ca, new trustpoint, and binding the cert:
no ip http secure-server
crypto key zeroize
crypto key generate rsa label somename-rsa modulus 2048
crypto pki trustpoint somename-ca
enrollment selfsigned
rsakeypair somename-rsa
crypto pki enroll somename-ca
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
ip http secure-server
When I ran the above command - no errors - was able to get to HTTPS on the device. Just make sure you wr mem if this fixes the issue.
07-01-2022 06:51 AM
This solution also works on 3850 catalyst switches. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide