cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
102196
Views
43
Helpful
19
Replies

crypto pki trustpoint TP-self-signed

vishalpatil86
Level 1
Level 1

Hi,

I have a core switch(4506e) connected to 6 edge switches(2960)..

Each switch is configured with crypto pki trustpoint TP-self-signed

WHat is this exactly and whats its use?

Also, when i connect other 2960 with core, it automatically takes this crypto config..

I dont understand this/.

Help me on this

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Vishal,

the command is a security command related to PKI = public key infrastructure.

The command defines an object that can be trusted (trustpoint) with name TP-self-signed that roughly means a security certifcate is locally generated

This should be a default of newer IOS images in order to prepare the devices for secure management via for example SSH and the use of certificates

in other words if you are managing your devices with telnet only, these commands have no effect in your scenario.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c5.html#GUID-0447E1FC-0851-4A3F-A727-8CAEEFB84A62

Edit:

the following is an example of a series of commands in a C1811 router taken from another thread

crypto pki trustpoint TP-self-signed-4147111382

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4147111382

revocation-check none

rsakeypair TP-self-signed-4147111382

!


Hope to help

Giuseppe

View solution in original post

19 Replies 19

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Vishal,

the command is a security command related to PKI = public key infrastructure.

The command defines an object that can be trusted (trustpoint) with name TP-self-signed that roughly means a security certifcate is locally generated

This should be a default of newer IOS images in order to prepare the devices for secure management via for example SSH and the use of certificates

in other words if you are managing your devices with telnet only, these commands have no effect in your scenario.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c5.html#GUID-0447E1FC-0851-4A3F-A727-8CAEEFB84A62

Edit:

the following is an example of a series of commands in a C1811 router taken from another thread

crypto pki trustpoint TP-self-signed-4147111382

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4147111382

revocation-check none

rsakeypair TP-self-signed-4147111382

!


Hope to help

Giuseppe

hi

Giuseppe,

Thanks for the reply, it helped me.

We use ssh to manage switches

This is the the automatic configuration that switch does itself or we have to do it

can we remove this config and if removed what will happen?

Hello Vishal,

because you are using SSH to manage the switches and it is not clear if authentication is based on certificates or other means I would not remove those commands from your devices

Hope to help

Giuseppe

Hi All,

I have virtual 3640 router on GNS3 and trying to discover it on CCP but it fails with security certificate rejected. How do I fix this as the example on cisco help to type commands about "TP-self-signed xxxxx" do not work, I obviously need specific wording for my setup? Can anyone help please. Thanks

Dear Giuseppe Larosa

I have 841 router, after factory reset i unable to find "crypto pki certificate chain TP-self-signed"

How can I generate "crypto pki certificate" please guide.

as per your above comment "TP-self-signed-4147111382" how can i Find this number for my router.

current running confing I can't see crypto pki certificate.

Thanks in advance.

Exactly - that is my question - how do we find out the number to use in the

crypto pki trustpoint TP-self-signed-1234567890

command?  It isn't the serial number... the SN is in hex and has 11 characters.

How do we determine the 10-digit number to use with the above command?

Many thanks,

Sam


@Sam Sanders wrote:

Exactly - that is my question - how do we find out the number to use in the

crypto pki trustpoint TP-self-signed-1234567890

command?  It isn't the serial number... the SN is in hex and has 11 characters.

How do we determine the 10-digit number to use with the above command?

Many thanks,

Sam


I was also looking for that, spending 3 hours on internet to find a solution. 

I didn't want to just copy/paste configuration from another CISCO switch.

My problem was to find out how to get these lines : 

crypto pki trustpoint TP-self-signed-2981184384
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2981184384
revocation-check none
rsakeypair TP-self-signed-2981184384
!
!
crypto pki certificate chain TP-self-signed-2981184384
certificate self-signed 01

 

In fact, the solution is so simple...

Just tape : 

conf t 
ip http secure-server

 

Do a show run, and you will se the TP-self-signed number and all the rest.... 

 

 

Thanks for this.

I'm in the process of swapping out a switch from our network. Just couldn't figure out how those keys were generated on the old switch. I was sure it wasn't SSH....  but did not think to check if it was HTTPS. Your post really helped...

Thanks.

Thanks for this.. finally found the solution to my long time issue..

 

Just needed to re-do everything by..

 

#crypto key zeroize rsa

#no ip http secure-server

#crypto key generate rsa gen    

#ip http secure-server

 

Thanks again!

 

Thanks for sharing this.....Quick Question, Since the TP-self-signed is generated by enabling HTTPS.. Does that implies removing the expired TP-self-signed certificates using below commands will not impact our SSH access to those switches but just https.

 

Router(config_#no crypto pki trustpoint TP-self-signed-2591590124

3 year late reply, but I came across this thread when trying to figure out the origin of this certificate, and I can say that removing it from my ISR router DID NOT affect SSH logins.

Thanks for sharing your experience about this quite old topic. And for verifying that removing the self signed certificate did not impact SSH.

HTH

Rick

TO BE REMOVED: crypto pki trustpoint TP-self-signed-576698624
self-signed enrollment
subject-name cn=IOS-Self-Signed-Certificate-576698624
revocation-check none
rsakeypair TP-self-signed-576698624

I need to remove it on a 2960 switch.
By running the command:
no crypto pki trustpoint TP-self-signed-576698624

will my switch reboot?

Why would you want to remove that part of the config?

If you do remove it and if the switch still has http secure-server enabled then the switch will generate a new self signed certificate.

If you do remove it the switch would not reboot.

HTH

Rick
Review Cisco Networking for a $25 gift card