cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22404
Views
0
Helpful
4
Replies

Crypto PKI Trustpoint

Dear forum members, I have a question to ask you before I move on.

While I was building a switch config, I had a pretty similar config from another switch, with crypto pki self signed certificate generated.

When I changed, the VLANs IPs and some other minor information, i loaded the config to a new switch.

By doing so I found out the hard way that https://managementip of the switch was not working and this was due to a certificate error.  DUH.

Off course it would not work since pretty much I was loading a self signed certificate from another switch.

The resolution is simple.

config t

no crypto pki trustpoint  <name of self signed cert>

then I deleted the existing key

config t

crypto key zeroize rsa

and I had to reload the device and after I reloaded successfully, I did the following

config t

crypto key generate rsa gen    

ip http secure-server.

the keys were generated and I was able to fix the issue.

MY QUESTION is, can I get away witht he same process without having to reboot the switch?  If I need to reboot the switch will I lose access to the switch using ssh?

The only reason I am asking is because this switch is in another country and I do not have a console cable plugged in to it.

I would appreciate your help on this matter.

AS

4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

Hi,

as soon as you enter ip http secure-server you're good to go with https.

for ssh you have to do crypto key generate rsa after clearing old rsa keys with the zeroize command but then you will l lose your ssh connection

but you don't need to reboot.

But you can make your keys exportable for routers: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_key.html

maybe the same goes for switch?


Regards.

alain.

Don't forget to rate helpful posts.

Thank you for your reply, so in other words, if I disabled ssh and I do transport input telnet and transport out

put telnet.

and then do

config t

no ip http secure-server

no crypto pki trustpoint

crypto key zeroi

and then regenerate the keys and reenable ssh

transport input ssh

and

transport output ssh

once I have generate the new keys.

I should be able to do what I need to do successfully right?

Thank you and I would appreciate your reply on the matter.

AS

Hi,

I would do this:

-no ip http secure-server

-line vty

  transport input telnet ssh

-crypto key zeroize rsa

-crypto key generate rsa

-ip http secure-server

-line vty

transport input ssh

Regards.

alain.

Don't forget to rate helpful posts.

cadetalain, thank you for your reply, prior to reading your second message this is exactly what I did.  it now works.

I appreciate your collaboration on this matter.

Thank you and have a great day

Review Cisco Networking for a $25 gift card