Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5278
Views
5
Helpful
6
Replies

Question about the crypto pki command

Go to solution
clybumat1
Level 1
Level 1

‎01-31-2017 05:46 AM - edited ‎03-08-2019 09:07 AM

I am deploying a new 2960 and the config needs to be similar to the other switches in the environment.  I noticed the other switches have the below command:

crypto pki trustpoint TP-self-signed-938572645
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-938572645
 revocation-check none
 rsakeypair TP-self-signed-938572645
!
!
crypto pki certificate chain TP-self-signed-938572645

The number in bold is unique on every switch.  My question is, how do I determine what this number should be on the new switch?  I assume that only a portion of the command will be used and the number is generated automatically.. But what portion?  I know that messing around with crypto commands can lock me out of the switch, so I want to make sure I do this right.. lol

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to clybumat1

‎01-31-2017 06:29 AM

The https-server is a "ip http secure-server" in the config. SSH is not responsible for that as it doesn't use certificates by default. What is the output of the following command?

sh run | inc TP-self-signed-938572645

View solution in original post

6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎01-31-2017 06:08 AM

In general, you can just ignore these lines. Whenever you activate a function that needs a certificate (like the HTTPS-server), the device will configure itself a trustpoint and generrate a self-signed certificate. That is what you see there. On the new switch, this will also happen automatically without that you need to configure anything for it.

Of course there is a better way:

When there is a CA in your organization, then you could configure each switch with a certificate from that CA. That would also remove the cert-warnings when accessing the switch on the GUI.

Or another way: If you don't need any webserver, just don't enable it and these commands won't appear in your config.

0 Helpful

Go to solution
clybumat1
Level 1
Level 1
In response to Karsten Iwen

‎01-31-2017 06:20 AM

Thanks for the reply.  I'm trying to find something in the config that would be activating the function that would need a certificate, and I'm not seeing anything (no HTTPS-server.)  It does have the transport input ssh command on the line vty.  Could that be what is generating it? 

Thanks again.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to clybumat1

‎01-31-2017 06:29 AM

The https-server is a "ip http secure-server" in the config. SSH is not responsible for that as it doesn't use certificates by default. What is the output of the following command?

sh run | inc TP-self-signed-938572645

Go to solution
clybumat1
Level 1
Level 1
In response to Karsten Iwen

‎01-31-2017 06:34 AM

I do have "ip http secure-server" command on the new switch, but the crypto lines are not there..

Output from command on completed switch:

sho run | incl  TP-self-signed-938572645
crypto pki trustpoint TP-self-signed-938572645
 rsakeypair TP-self-signed-938572645
crypto pki certificate chain TP-self-signed-938572645

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to clybumat1

‎01-31-2017 06:43 AM

As far as I remember, that's a behavior of older (very old?) IOS versions. But if it's a new device, I would expect it to run something like 15.2 or 15.0. If you run an older version for some reason, there could be corresponding "crypto ca ..." config or none of these commands. But with an actual IOS, it would be normal to have this trustpoint-config on the device.

0 Helpful

Go to solution
clybumat1
Level 1
Level 1
In response to Karsten Iwen

‎01-31-2017 11:10 AM

Thanks Karsten.  It was the "ip http secure-server" command that generated the crypto command and key. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card