Yes, exactly.

I would like to apply an internally issued SSL certificate to the Web GUI, so that when browsing to the Web GUI the certificate is trusted (rather than showing a certificate error because it is using a self-signed cert).

Many thanks

James

Trustpoint to your CA.

here is some good steps ( for Router) - but same should work for Switch too.

https://www.entrust.com/knowledgebase/ssl/how-to-install-ssltls-certificates-on-cisco-appliance-using-cli

Sorry, still a little lost.

Do I need to;

1. Generate a keypair:
crypto key generate rsa general-keys label MYCAKEYS exportable modulus 2048

2. Create a trustpoint for my CA:
crypto ca trustpoint MYCA
enrollment terminal
chain-validation stop

3. Create a trustpoint for the cert I am going to generate from my CA:
crypto ca trustpoint MYSWITCHDNSNAME

enrollment terminal

chain-validation continue MYCA

$O=MYORG, OU=MYOU, CN=MYSWITCHDNSNAME

fqdn MYSWITCHDNSNAME

rsakeypair MYCAKEYS

4. Generate the CSR:
crypto ca enroll MYSWITCHDNSNAME

5. Submit the CSR to my CA and generate a certificate

6. Import the cert:
crypto ca authenticate MYSWITCHDNSNAME
PASTE BASE64 CERT

If that's correct, I will give this a go.

Thanks

James

Hi James,

Your steps match with what Entrust has on their site. See the below link:

https://www.entrust.com/knowledgebase/ssl/how-to-install-ssltls-certificates-on-cisco-appliance-using-cli

Just remember if you want to use a public CA, you have to renew it once a year or every 3 years (depending on your contract with the provider). Not sure how large your teams are, but getting the certs from CA  is usually done by the server team.

HTH

Hi,

I get stuck at step 2.

"Crypto ca" is not a recognised command:

Crypto ca" is not a recognised command:

post below information :

show version

show ip ssh

crypto ca ?  (what option you see ?)

Show version returns a lot. Is there a specific bit you want to see, or shall I paste the whole lot?

Key one I suspect might be this:

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 28    C9200L-24T-4G      17.03.03          CAT9K_LITE_IOSXE      INSTALL
     2 28    C9200L-24T-4G      17.03.03          CAT9K_LITE_IOSXE      INSTALL

show ip ssh:

SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-126708313
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGijhpzD7cPY5s1vKVPD0vp+Zgg4326Kn7MiLsBHSu
kOtKRwxaYbzCjE1MwsWEGwPhBKPY7AGdeLPdmwcP0xX08CbqMSBlfIyIciw5gP+Yd+y28CkD8Zi3yZme
/APYwuaNj43XlHqebHkRsnIsTTEWgutBmupR+pckx6h61k8DxjsERl85cFMhoyoLRaviSEf/PAJ3wBSq
0aMQvbDEmwrrq4qdNVoI8kYYhW9OiHgjw4wEHMmGVtjiloAx/pMc7FMnKgR2xRrjdWCY4JO3tEdigS4t
cqB+lF4lcH0kp0GHkSSMN3bjUrPhZWPNczWrC0Zvd21y+8l9ihY5KNJimZhj

crypto ca ?:

ASP-COSW-01#crypto ca
                   ^
% Invalid input detected at '^' marker.

Let me know if you need anything else.

Cheers

James

ASP-COSW-01#crypto ca
                   ^
% Invalid input detected at '^' marker.

command need to be excute in config more

config t

!

(config)#crypt ?

and

(config)#crypt  ca ?

Yes, unfortunately it is still unrecognised:

Many thanks

James

apologies..i have observed that you have LITE image, that may not work..

Thanks.

Any suggestions on how to find steps to complete for the image we have?

Is there perhaps a way instead to do it through the Web GUI rather than CLI?

Many thanks

James

LITE do not support i guess, you need change the IOS image.

Surely there must be some way to just create a CSR to submit to my internal CA, either by CLI or in the GUI?

What is involved in changing the image, and can it be done without affecting my current running config?

Cheers

James