Solved: Crypto pki certificate not showing up in the running config

Andrew Hernandez · ‎11-07-2015

I have a question, hope it's obvious, but about the crypto pki certificate chain that is usually present in the running config once the rsa key is generted. I currently can ssh over to the switch with no issues, however, isn't that supposed to show up in the config? I have another switch, same model and fimrware version and it shows up there, is there something I'm missing here? I've made sure the prerequsites were all there and generated the key again with no luck.

example.

crypto pki trustpoint TP-self-signed-207144960
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-207144960
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxx
certificate self-signed 01

Model- WS-CBS3120X-S

SW Version- CBS31X0-UNIVERSALK9-M

Thanks in advance,

Andrew

Richard Burts · ‎11-09-2015

Andrew

Thanks for confirming that SSH is working and for sending the configs which do, indeed, supply the explanation for this behavior. It is exactly as I suggested a difference in configuration between the switches about the Graphical Interface. On switch 2 there is this:

no ip http secure-server

and switch 1 does enabe ip http secrure-server.

You have a choice about how to fix this issue. If you intend people to use the GUI then on switch 2 you must enable ip http secure-server (and the self signed certificate will appear in the config). If you intend that people will not use the GUI then on switch 1 you disable ip http secure-server.

HTH

Rick

HTH

Rick

View solution in original post

rvarelac · ‎11-08-2015

Hi Andrew,

Maybe the certificate was not installed properly or at all.

What does the "Show crypto pki certificate" and "Show crypto pki trustpoint" show?

Hope it helps

-Randy-

Andrew Hernandez · ‎11-08-2015

Wow, doesn't pull back any information, for the certificate and trustpoint. Does that mean it didn't install properly?

Richard Burts · ‎11-09-2015

The original post seems to say that SSH is working correctly but is not entirely clear about that. Can you clarify whether SSH is working or is not working.

The certificate that you are talking about does not relate to SSH (so it is quite possible that SSH does work but does not have the certificate). This certificate is more related to the Graphical Interface for the switch. My guess would be that this switch does not have the http secure server enabled and that the other switch does have it enabled.

HTH

Rick

HTH

Rick

Andrew Hernandez · ‎11-09-2015

Absolutely. SSH is working with no issues, on both switches. I came across the this the other day when checking the configs, before I send them out into production. I uploaded both configs from switch 1 and 2, 2 being in question here, but hope this helps.

Thanks in advance

Richard Burts · ‎11-09-2015

Andrew

Thanks for confirming that SSH is working and for sending the configs which do, indeed, supply the explanation for this behavior. It is exactly as I suggested a difference in configuration between the switches about the Graphical Interface. On switch 2 there is this:

no ip http secure-server

and switch 1 does enabe ip http secrure-server.

You have a choice about how to fix this issue. If you intend people to use the GUI then on switch 2 you must enable ip http secure-server (and the self signed certificate will appear in the config). If you intend that people will not use the GUI then on switch 1 you disable ip http secure-server.

HTH

Rick

HTH

Rick

Andrew Hernandez · ‎11-09-2015

Appreciate the help. I made the changes and looking good now. Thanks again.

Andrew