06-03-2020 02:29 AM
I have two new switches C3560CX-12PD-S and C3560CX-12TC-S. Their Software version 15.2(7)E1 and 15.2(4)E8 respectively. When enabling the HTTP secure server, the errors returned.
#ip http secure-server
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
There are nothing to show when entering the commands:
#sh crypto pki cert
#sh crypto pki trustpoints
06-03-2020 03:01 AM - edited 06-03-2020 03:02 AM
Hello
Try generating a new local rsa key
conf t
crypto key zeroize
crypto key generate rsa label LOCAL general-keys modulus 2048
ip http secure-server
06-03-2020 07:06 AM
Unfortunely, it still failed...
06-03-2020 08:00 AM
Is the image a "k9" image? What is the output of "sh ver"?
HTH
06-03-2020 11:43 AM
06-03-2020 12:52 PM
You have the correct IOS installed.
What is the output of "sh crypto key pubkey-chain rsa"?
HTH
06-03-2020 01:10 PM
06-03-2020 01:16 PM
Looks good. Can you configure a host name and domain name on the switch and than test again?
HTH
02-28-2022 12:46 PM - edited 02-28-2022 12:47 PM
Hi Paul,
I'm facing the same issue with the IE4000 switch.
I have used the following commands and check the img file as well.
#sh ip http server stauts
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: sdflash:/ie4000-universalk9-mz.152-7.E2/html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Maximum number of secondary server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: NONE
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: NONE
Trust-point is missing.
-------------------------------------------------------------------------------------
NDOT_Omaha_EastB_I-8(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
------------------------------------------------------------------------------------------------
#sh ver
Switch Ports Model SW Version SW Image
------ ----- ---------------- ---------- ----------
* 1 12 IE-4000-8GS4G-E 15.2(7)E2 IE4000-UNIVERSALK9-M
------------------------------------------------------------------------------------
#sh crypto pki cert
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 15:58:28 CDT Aug 9 2016
end date: 14:58:28 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0
Certificate
Status: Available
Certificate Serial Number (hex): 0740771567306479552F
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IE-4000-8GS4G-E
Serial Number: PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
cn=IE-4000-8GS4G-E
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IE-4000-8GS4G-E SN:FDO2602J0Z6
Validity Date:
start date: 16:14:55 CST Jan 2 2022
end date: 14:58:26 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 15:28:08 CDT Aug 11 2016
end date: 14:58:27 CST Aug 9 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
NDOT_Omaha_EastB_I-80_108th_St_RP_446.26_Cam_142.244.132#h crypto pki trustpoints
Trustpoint CISCO_IDEVID_SUDI:
Subject Name:
o=Cisco
cn=High Assurance SUDI CA
Serial Number (hex): 0A6475524CD8617C62
Certificate configured.
Trustpoint CISCO_IDEVID_SUDI0:
Subject Name:
cn=Cisco Root CA 2099
o=Cisco
Serial Number (hex): 019A335878CE16C1C1
Certificate configured.
I have configured hostname and domain as well.
Why this IE4000 is not generating Cert. Can you help me with this?
Thank you.
06-29-2022 05:27 AM
So I was actually able to fix this with a combination of removing the current cert, creaing a new cert, new ca, new trustpoint, and binding the cert:
no ip http secure-server
crypto key zeroize
crypto key generate rsa label somename-rsa modulus 2048
crypto pki trustpoint somename-ca
enrollment selfsigned
rsakeypair somename-rsa
crypto pki enroll somename-ca
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
ip http secure-server
When I ran the above command - no errors - was able to get to HTTPS on the device. Just make sure you wr mem if this fixes the issue.
07-01-2022 06:51 AM
This solution also works on 3850 catalyst switches. Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: