cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
5127
Views
0
Helpful
3
Replies
bryanchapman9999
Beginner

crypto pki certificate in running config

Hi,

On a couple of our newer devices is an entry in the running config ;

crypto pki certificate chain TP-self-signed-**********

b

i

g

c

e

r

t

i

f

i

c

a

t

e

   quit

licence udi pid CISCO1941/K9 sn *********

We like to backup our running and startup configs each night and run a diff against them - picks up if a config change made has not been copied to running.

Now on these newer devices the certificate entry above does not copy over to the startup config - it just shows;

cyrpto pki certificate chain TP-self-signed-**************

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

thus it shows an error each night as the startup config differes from the running config

Anyway to copy this over to the startup config

Many thanks

Bryan

1 ACCEPTED SOLUTION

Accepted Solutions
Richard Burts
Hall of Fame Guru

Bryan

I doubt that there is anything that you can do to fix this (except perhaps to try a different version of code). I believe that the issue is not that the certificate is not being copied, but that in the process of copying to startup config the IOS is using a pointer to the certificate (which is stored in nvram).

Part of the issue is the differences between startup config and running config. The startup config is a text file into which the IOS writes the interpreted active config. And the running config is a dynamic data structure. When the router boots it reads the content of  startup config and inititalizes the content of the dynamic data structure. When it gets to the part about the certificate the IOS reads the pointer and puts the content of the certificate into running config. So running config has the actual content of the certificate while startup config has only the pointer.

HTH

Rick

HTH

Rick

View solution in original post

3 REPLIES 3
Richard Burts
Hall of Fame Guru

Bryan

I doubt that there is anything that you can do to fix this (except perhaps to try a different version of code). I believe that the issue is not that the certificate is not being copied, but that in the process of copying to startup config the IOS is using a pointer to the certificate (which is stored in nvram).

Part of the issue is the differences between startup config and running config. The startup config is a text file into which the IOS writes the interpreted active config. And the running config is a dynamic data structure. When the router boots it reads the content of  startup config and inititalizes the content of the dynamic data structure. When it gets to the part about the certificate the IOS reads the pointer and puts the content of the certificate into running config. So running config has the actual content of the certificate while startup config has only the pointer.

HTH

Rick

HTH

Rick

View solution in original post

Many thanks Rick, I've actually modified the script to grep out the certificates now.

Cheers

Bryan

The config you provided shows the device is using a self signed certificate. This is a default configuration and I would not recommend removing it from your device configuration . The self signed certificate is used for SSH HTTPS device management, IPSec and SSL tunnels with also use this key. These security features will not be available without a certificate on the device .

Regards

Scott




Sent from Cisco Technical Support iPhone App