cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14373
Views
21
Helpful
10
Replies

Change the certificate used by a Cisco 3850

William Coats
Level 1
Level 1

I have a new 3850 L3 switch. It had a self-signed certificate installed when I first booted the switch. The certificate appears to be either 512 or 1024 in length. I would like to create a key that is 2048 in length. I can issue the crypto key generate rsa command and specify the 2048 length and I get a new cert. I just can't figure out hw to make the new cert as the active cert.

Here is the configuration section from the switch when it was first started:

crypto pki trustpoint TP-self-signed-127070658

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-127070658

revocation-check none

rsakeypair TP-self-signed-127070658

!

!

crypto pki certificate chain TP-self-signed-127070658

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

When I create the new cert and then commit it with the copy running-config startup-config and then reload, it will show that the new cert is stored in NVRAM:private-config, but it doesn't show the cert when I cd to nvram: and issue the dir command. What is the proper sequence to get the new cert to be used.

Here is the results of the dir command:

2049  -rw-        1897                    <no date>  startup-config

2050  ----        3821                    <no date>  private-config

2051  -rw-        1897                    <no date>  underlying-config

    1  ----           0                    <no date>  rf_cold_starts

    2  -rw-        1079                    <no date>  cpu_trap.eci

    4  -rw-        1072                    <no date>  cpu_threshold_trap.eci

    6  -rw-         886                    <no date>  memory_trap.eci

    7  -rw-         858                    <no date>  rf_trap.eci

    8  -rw-        3123                    <no date>  wireless_trap.eci

   11  -rw-         270                    <no date>  ma_trap_keyword

   12  ----          86                    <no date>  persistent-data

   14  -rw-         578                    <no date>  IOS-Self-Sig#1.cer

   15  -rw-           0                    <no date>  ifIndex-table

William Coats

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.

1. generate a 2048-bit rsa keypair:

seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key

2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair

seclab-3650(config)#cry pki trustpoint 2048-bit-TP     

seclab-3650(ca-trustpoint)#enrollment selfsigned

seclab-3650(ca-trustpoint)#usage ssl-server

seclab-3650(ca-trustpoint)#on nvram:

seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key

seclab-3650(ca-trustpoint)#exit

3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.

seclab-3650(config)#crypto pki enroll 2048-bit-TP      

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

seclab-3650(config)#

4. tell your ip http secure-server to use this trustpoint

seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP

Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:

View solution in original post

10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.

1. generate a 2048-bit rsa keypair:

seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key

2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair

seclab-3650(config)#cry pki trustpoint 2048-bit-TP     

seclab-3650(ca-trustpoint)#enrollment selfsigned

seclab-3650(ca-trustpoint)#usage ssl-server

seclab-3650(ca-trustpoint)#on nvram:

seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key

seclab-3650(ca-trustpoint)#exit

3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.

seclab-3650(config)#crypto pki enroll 2048-bit-TP      

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

seclab-3650(config)#

4. tell your ip http secure-server to use this trustpoint

seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP

Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:

That was what I was looking for. I was actually wanting a larger key for when we ssh into the key. Theses steps will do the same once I change the usage statement.

Thanks for the help.

You're welcome.

Please rate helpful replies and/or mark your question as answered.

Regards,

- Marvin

Thank you. Your response was helpful, but the process does not work on the3850 or 9300 switches that I tested it on.

- Kev

This is very helpful, thank you!  However, when I perform these steps on a Cisco 3850 switch, I get the message, Attempt to request a certificate failed: status = FAIL.  Any idea why this is happening? Do I need to try upgrading to a newer IOS?  My version is:  WS-C3850-24U  SW Version: 03.06.07E  SW Image: cat3k_caa-universalk9  Mode: INSTALL
Thanks very much.

 

 

did you find a solution for this? I am having the exact tame issue now  

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
%Error: No public key found - Abort.

Did you ever find a solution for this? 

I successfully applied these setting to a 3650 switch but they fail on a 3850. 

kcook
Level 1
Level 1

I ran the same commands on a Cisco 9300-48U switch running CAT9K_IOS-XE 16.8.1a INSTALL mode.  Generating the self-signed certificate failed.

C9300-48U-SW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C9300-48U-SW(config)#cry pki trustpoint 2048-bit-TP
C9300-48U-SW(ca-trustpoint)#enrollment selfsigned
C9300-48U-SW(ca-trustpoint)#usage ssl-server
C9300-48U-SW(ca-trustpoint)#on nvram:
C9300-48U-SW(ca-trustpoint)#rsakeypair 2048-bit-key
C9300-48U-SW(ca-trustpoint)#exit
C9300-48U-SW(config)#crypto pki enroll 2048-bit-TP
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-2307227245.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL

C9300-48U-SW(config)#crypto pki enroll 2048-bit-TP
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-2307227245.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
% Attempt to request a certificate failed: status = FAIL

C9300-48U-SW(config)#ip http secure-trustpoint 2048-bit-TP
C9300-48U-SW(config)#exit

 

In C9300-48U-SW I got HTTPS working by changing "ip http secure-trustpoint 2048-bit-TP" to "ip http secure-trustpoint TP-self-signed-2307227245".  TP-self-signed-2307227245 has been on the switch since I installed it several years ago.

Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2307227245
Subject:
Name: IOS-Self-Signed-Certificate-2307227245
cn=IOS-Self-Signed-Certificate-2307227245
Validity Date:
start date: 12:57:22 PDT Oct 19 2018
end date: 16:00:00 PST Dec 31 2019
Associated Trustpoints: TP-self-signed-2307227245
Storage: nvram:IOS-Self-Sig#2.cer

C9300-48U-SW#show crypto pki trustpoint
Trustpoint TP-self-signed-2307227245:
Subject Name:
cn=IOS-Self-Signed-Certificate-2307227245
Serial Number (hex): 01
Persistent self-signed certificate trust point
Using key label TP-self-signed-2307227245

Trustpoint 2048-bit-TP:

----------------------------------------

C9300-48U-SW#show run | inc trustpoint
crypto pki trustpoint TP-self-signed-2307227245
crypto pki trustpoint 2048-bit-TP
ip http secure-trustpoint 2048-bit-TP
C9300-48U-SW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C9300-48U-SW(config)#no ip http secure-trustpoint 2048-bit-TP
C9300-48U-SW(config)#ip http secure-trustpoint TP-self-signed-2307227245
C9300-48U-SW(config)#exit

Review Cisco Networking for a $25 gift card