Re: cisco switches' public and private key pair replacement

akrmkhls56541 · ‎01-21-2020

Is it possible to change the cisco switches' public and private key pair?

lucasfreitas83 · ‎01-21-2020

Hello akrmkhls56541,

Recently Cisco announced a problem in the self-sign certificate in devices, and share a workaround to perform change this certificate.

Follow the link

https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html

This document has a 3 workaround to perform the change.

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future.

Best regards,
Lucas Freitas

akrmkhls56541 · ‎01-22-2020

Dear

@lucasfreitas83 wrote:
Hello akrmkhls56541,

Recently Cisco announced a problem in the self-sign certificate in devices, and share a workaround to perform change this certificate.

Follow the link
https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html

This document has a 3 workaround to perform the change.

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future.

Best regards,
Lucas Freitas

Dear @lucasfreitas83,

Thanks for your reply, it was useful to a great extent. However, I need to know if I can change the public private key pair of cisco switches or not!

Actually, it is better that I ask my question in the following forms:

1-How many public\private key pairs are there in a cisco switch?

2-What are they used for?

3-Is it possible to replace them with some other values generated externally, for example by puttygen?

4-And also, is it possible to get informed about the key pairs values that already exist in the device?

I'm sorry for my basic questions! I'm totally new in this field!

lucasfreitas83 · ‎01-22-2020

Hello,

no problem, here we all help each other.

1-How many public\private key pairs are there in a cisco switch?

Common is one.

2-What are they used for?

For web access, KPI (VPN)

3-Is it possible to replace them with some other values generated externally, for example by puttygen?

Yes, is possible, in the document that I sent has the procedure.

4-And also, is it possible to get informed about the key pairs values that already exist in the device?

In running config you can see the certificate.

Other document to help you.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/sec/nxos/sec/digicert.html

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future.

Best regards,
Lucas Freitas

akrmkhls56541 · ‎01-22-2020

Thanks for your reply! I do appreciate it!

Does the device use the same key pair for other tasks, e.g. for symmetric key agreement with other devices or any other activity that needs a public-private key pair?

If I change the certificate, does this impact other activities?

lucasfreitas83 · ‎01-22-2020

By default, the certificate is not assigned to any action, it is necessary to specify the use of it, so if you have never used it, it is probably not in use.
It is not assigned to everything, for example, SSH can use the certificate or an RSA key pair, created with crypto key generate rsa modulos (386-2048).
That same document has the commands and expected outputs, in case the certificate is being used somewhere.