Solved: Change the certificate used by a Cisco 3850

William Coats · ‎10-04-2013

I have a new 3850 L3 switch. It had a self-signed certificate installed when I first booted the switch. The certificate appears to be either 512 or 1024 in length. I would like to create a key that is 2048 in length. I can issue the crypto key generate rsa command and specify the 2048 length and I get a new cert. I just can't figure out hw to make the new cert as the active cert.

Here is the configuration section from the switch when it was first started:

crypto pki trustpoint TP-self-signed-127070658

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-127070658

revocation-check none

rsakeypair TP-self-signed-127070658

!

crypto pki certificate chain TP-self-signed-127070658

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

When I create the new cert and then commit it with the copy running-config startup-config and then reload, it will show that the new cert is stored in NVRAM:private-config, but it doesn't show the cert when I cd to nvram: and issue the dir command. What is the proper sequence to get the new cert to be used.

Here is the results of the dir command:

2049 -rw- 1897 <no date> startup-config

2050 ---- 3821 <no date> private-config

2051 -rw- 1897 <no date> underlying-config

1 ---- 0 <no date> rf_cold_starts

2 -rw- 1079 <no date> cpu_trap.eci

4 -rw- 1072 <no date> cpu_threshold_trap.eci

6 -rw- 886 <no date> memory_trap.eci

7 -rw- 858 <no date> rf_trap.eci

8 -rw- 3123 <no date> wireless_trap.eci

11 -rw- 270 <no date> ma_trap_keyword

12 ---- 86 <no date> persistent-data

14 -rw- 578 <no date> IOS-Self-Sig#1.cer

15 -rw- 0 <no date> ifIndex-table

William Coats

Marvin Rhoads · ‎10-04-2013

I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.

1. generate a 2048-bit rsa keypair:

seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key

2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair

seclab-3650(config)#cry pki trustpoint 2048-bit-TP

seclab-3650(ca-trustpoint)#enrollment selfsigned

seclab-3650(ca-trustpoint)#usage ssl-server

seclab-3650(ca-trustpoint)#on nvram:

seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key

seclab-3650(ca-trustpoint)#exit

3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.

seclab-3650(config)#crypto pki enroll 2048-bit-TP

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

seclab-3650(config)#

4. tell your ip http secure-server to use this trustpoint

seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP

Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:

View solution in original post

Marvin Rhoads · ‎10-04-2013

I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.

1. generate a 2048-bit rsa keypair:

seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key

2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair

seclab-3650(config)#cry pki trustpoint 2048-bit-TP

seclab-3650(ca-trustpoint)#enrollment selfsigned

seclab-3650(ca-trustpoint)#usage ssl-server

seclab-3650(ca-trustpoint)#on nvram:

seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key

seclab-3650(ca-trustpoint)#exit

3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.

seclab-3650(config)#crypto pki enroll 2048-bit-TP

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

seclab-3650(config)#

4. tell your ip http secure-server to use this trustpoint

seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP

Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:

William Coats · ‎10-08-2013

That was what I was looking for. I was actually wanting a larger key for when we ssh into the key. Theses steps will do the same once I change the usage statement.

Thanks for the help.

Marvin Rhoads · ‎10-08-2013

You're welcome.

Please rate helpful replies and/or mark your question as answered.

Regards,

- Marvin

kcook · ‎07-12-2024

Thank you. Your response was helpful, but the process does not work on the3850 or 9300 switches that I tested it on.

- Kev

Sam Sanders · ‎09-12-2022

This is very helpful, thank you! However, when I perform these steps on a Cisco 3850 switch, I get the message, Attempt to request a certificate failed: status = FAIL. Any idea why this is happening? Do I need to try upgrading to a newer IOS? My version is: WS-C3850-24U SW Version: 03.06.07E SW Image: cat3k_caa-universalk9 Mode: INSTALL
Thanks very much.

joelzurita · ‎12-07-2023

did you find a solution for this? I am having the exact tame issue now

cisco-newbie2022 · ‎02-14-2024

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
%Error: No public key found - Abort.

HarryLawhorn1 · ‎05-24-2024

Did you ever find a solution for this?

I successfully applied these setting to a 3650 switch but they fail on a 3850.

kcook · ‎07-12-2024

I ran the same commands on a Cisco 9300-48U switch running CAT9K_IOS-XE 16.8.1a INSTALL mode. Generating the self-signed certificate failed.

C9300-48U-SW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C9300-48U-SW(config)#cry pki trustpoint 2048-bit-TP
C9300-48U-SW(ca-trustpoint)#enrollment selfsigned
C9300-48U-SW(ca-trustpoint)#usage ssl-server
C9300-48U-SW(ca-trustpoint)#on nvram:
C9300-48U-SW(ca-trustpoint)#rsakeypair 2048-bit-key
C9300-48U-SW(ca-trustpoint)#exit
C9300-48U-SW(config)#crypto pki enroll 2048-bit-TP
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-2307227245.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL

C9300-48U-SW(config)#crypto pki enroll 2048-bit-TP
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-2307227245.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL

C9300-48U-SW(config)#ip http secure-trustpoint 2048-bit-TP
C9300-48U-SW(config)#exit

kcook · ‎07-12-2024

In C9300-48U-SW I got HTTPS working by changing "ip http secure-trustpoint 2048-bit-TP" to "ip http secure-trustpoint TP-self-signed-2307227245". TP-self-signed-2307227245 has been on the switch since I installed it several years ago.

Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2307227245
Subject:
Name: IOS-Self-Signed-Certificate-2307227245
cn=IOS-Self-Signed-Certificate-2307227245
Validity Date:
start date: 12:57:22 PDT Oct 19 2018
end date: 16:00:00 PST Dec 31 2019
Associated Trustpoints: TP-self-signed-2307227245
Storage: nvram:IOS-Self-Sig#2.cer

C9300-48U-SW#show crypto pki trustpoint
Trustpoint TP-self-signed-2307227245:
Subject Name:
cn=IOS-Self-Signed-Certificate-2307227245
Serial Number (hex): 01
Persistent self-signed certificate trust point
Using key label TP-self-signed-2307227245

Trustpoint 2048-bit-TP:

----------------------------------------

C9300-48U-SW#show run | inc trustpoint
crypto pki trustpoint TP-self-signed-2307227245
crypto pki trustpoint 2048-bit-TP
ip http secure-trustpoint 2048-bit-TP
C9300-48U-SW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C9300-48U-SW(config)#no ip http secure-trustpoint 2048-bit-TP
C9300-48U-SW(config)#ip http secure-trustpoint TP-self-signed-2307227245
C9300-48U-SW(config)#exit