hi

Giuseppe,

Thanks for the reply, it helped me.

We use ssh to manage switches

This is the the automatic configuration that switch does itself or we have to do it

can we remove this config and if removed what will happen?

Hello Vishal,

because you are using SSH to manage the switches and it is not clear if authentication is based on certificates or other means I would not remove those commands from your devices

Hope to help

Giuseppe

Hi All,

I have virtual 3640 router on GNS3 and trying to discover it on CCP but it fails with security certificate rejected. How do I fix this as the example on cisco help to type commands about "TP-self-signed xxxxx" do not work, I obviously need specific wording for my setup? Can anyone help please. Thanks

Dear Giuseppe Larosa

I have 841 router, after factory reset i unable to find "crypto pki certificate chain TP-self-signed"

How can I generate "crypto pki certificate" please guide.

as per your above comment "TP-self-signed-4147111382" how can i Find this number for my router.

current running confing I can't see crypto pki certificate.

Thanks in advance.

Exactly - that is my question - how do we find out the number to use in the

crypto pki trustpoint TP-self-signed-1234567890

command?  It isn't the serial number... the SN is in hex and has 11 characters.

How do we determine the 10-digit number to use with the above command?

Many thanks,

Sam

---

@Sam Sanders wrote:

Exactly - that is my question - how do we find out the number to use in the

crypto pki trustpoint TP-self-signed-1234567890

command?  It isn't the serial number... the SN is in hex and has 11 characters.

How do we determine the 10-digit number to use with the above command?

Many thanks,

Sam

---

I was also looking for that, spending 3 hours on internet to find a solution. 

I didn't want to just copy/paste configuration from another CISCO switch.

My problem was to find out how to get these lines : 

crypto pki trustpoint TP-self-signed-2981184384
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2981184384
revocation-check none
rsakeypair TP-self-signed-2981184384
!
!
crypto pki certificate chain TP-self-signed-2981184384
certificate self-signed 01

In fact, the solution is so simple...

Just tape : 

conf t 
ip http secure-server

Do a show run, and you will se the TP-self-signed number and all the rest.... 

Thanks for this.

I'm in the process of swapping out a switch from our network. Just couldn't figure out how those keys were generated on the old switch. I was sure it wasn't SSH....  but did not think to check if it was HTTPS. Your post really helped...

Thanks.

Thanks for this.. finally found the solution to my long time issue..

Just needed to re-do everything by..

#crypto key zeroize rsa

#no ip http secure-server

#crypto key generate rsa gen    

#ip http secure-server

Thanks again!

Thanks for sharing this.....Quick Question, Since the TP-self-signed is generated by enabling HTTPS.. Does that implies removing the expired TP-self-signed certificates using below commands will not impact our SSH access to those switches but just https.

Router(config_#no crypto pki trustpoint TP-self-signed-2591590124

3 year late reply, but I came across this thread when trying to figure out the origin of this certificate, and I can say that removing it from my ISR router DID NOT affect SSH logins.

Thanks for sharing your experience about this quite old topic. And for verifying that removing the self signed certificate did not impact SSH.

TO BE REMOVED: crypto pki trustpoint TP-self-signed-576698624
self-signed enrollment
subject-name cn=IOS-Self-Signed-Certificate-576698624
revocation-check none
rsakeypair TP-self-signed-576698624

I need to remove it on a 2960 switch.
By running the command:
no crypto pki trustpoint TP-self-signed-576698624

will my switch reboot?

Why would you want to remove that part of the config?

If you do remove it and if the switch still has http secure-server enabled then the switch will generate a new self signed certificate.

If you do remove it the switch would not reboot.