09-11-2012 07:48 AM - edited 03-07-2019 08:49 AM
Hi,
On a couple of our newer devices is an entry in the running config ;
crypto pki certificate chain TP-self-signed-**********
b
i
g
c
e
r
t
i
f
i
c
a
t
e
quit
licence udi pid CISCO1941/K9 sn *********
We like to backup our running and startup configs each night and run a diff against them - picks up if a config change made has not been copied to running.
Now on these newer devices the certificate entry above does not copy over to the startup config - it just shows;
cyrpto pki certificate chain TP-self-signed-**************
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
thus it shows an error each night as the startup config differes from the running config
Anyway to copy this over to the startup config
Many thanks
Bryan
Solved! Go to Solution.
09-11-2012 08:29 PM
Bryan
I doubt that there is anything that you can do to fix this (except perhaps to try a different version of code). I believe that the issue is not that the certificate is not being copied, but that in the process of copying to startup config the IOS is using a pointer to the certificate (which is stored in nvram).
Part of the issue is the differences between startup config and running config. The startup config is a text file into which the IOS writes the interpreted active config. And the running config is a dynamic data structure. When the router boots it reads the content of startup config and inititalizes the content of the dynamic data structure. When it gets to the part about the certificate the IOS reads the pointer and puts the content of the certificate into running config. So running config has the actual content of the certificate while startup config has only the pointer.
HTH
Rick
09-11-2012 08:29 PM
Bryan
I doubt that there is anything that you can do to fix this (except perhaps to try a different version of code). I believe that the issue is not that the certificate is not being copied, but that in the process of copying to startup config the IOS is using a pointer to the certificate (which is stored in nvram).
Part of the issue is the differences between startup config and running config. The startup config is a text file into which the IOS writes the interpreted active config. And the running config is a dynamic data structure. When the router boots it reads the content of startup config and inititalizes the content of the dynamic data structure. When it gets to the part about the certificate the IOS reads the pointer and puts the content of the certificate into running config. So running config has the actual content of the certificate while startup config has only the pointer.
HTH
Rick
09-13-2012 09:42 AM
Many thanks Rick, I've actually modified the script to grep out the certificates now.
Cheers
Bryan
10-23-2013 03:29 PM
The config you provided shows the device is using a self signed certificate. This is a default configuration and I would not recommend removing it from your device configuration . The self signed certificate is used for SSH HTTPS device management, IPSec and SSL tunnels with also use this key. These security features will not be available without a certificate on the device .
Regards
Scott
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide