Solved: Question about the crypto pki command

clybumat1 · ‎01-31-2017

I am deploying a new 2960 and the config needs to be similar to the other switches in the environment. I noticed the other switches have the below command:

crypto pki trustpoint TP-self-signed-938572645
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-938572645
revocation-check none
rsakeypair TP-self-signed-938572645
!
!
crypto pki certificate chain TP-self-signed-938572645

The number in bold is unique on every switch. My question is, how do I determine what this number should be on the new switch? I assume that only a portion of the command will be used and the number is generated automatically.. But what portion? I know that messing around with crypto commands can lock me out of the switch, so I want to make sure I do this right.. lol

Karsten Iwen · ‎01-31-2017

The https-server is a "ip http secure-server" in the config. SSH is not responsible for that as it doesn't use certificates by default. What is the output of the following command?

sh run | inc TP-self-signed-938572645

View solution in original post

Karsten Iwen · ‎01-31-2017

In general, you can just ignore these lines. Whenever you activate a function that needs a certificate (like the HTTPS-server), the device will configure itself a trustpoint and generrate a self-signed certificate. That is what you see there. On the new switch, this will also happen automatically without that you need to configure anything for it.

Of course there is a better way:

When there is a CA in your organization, then you could configure each switch with a certificate from that CA. That would also remove the cert-warnings when accessing the switch on the GUI.

Or another way: If you don't need any webserver, just don't enable it and these commands won't appear in your config.

clybumat1 · ‎01-31-2017

Thanks for the reply. I'm trying to find something in the config that would be activating the function that would need a certificate, and I'm not seeing anything (no HTTPS-server.) It does have the transport input ssh command on the line vty. Could that be what is generating it?

Thanks again.

Karsten Iwen · ‎01-31-2017

The https-server is a "ip http secure-server" in the config. SSH is not responsible for that as it doesn't use certificates by default. What is the output of the following command?

sh run | inc TP-self-signed-938572645

clybumat1 · ‎01-31-2017

I do have "ip http secure-server" command on the new switch, but the crypto lines are not there..

Output from command on completed switch:

sho run | incl TP-self-signed-938572645
crypto pki trustpoint TP-self-signed-938572645
rsakeypair TP-self-signed-938572645
crypto pki certificate chain TP-self-signed-938572645

Karsten Iwen · ‎01-31-2017

As far as I remember, that's a behavior of older (very old?) IOS versions. But if it's a new device, I would expect it to run something like 15.2 or 15.0. If you run an older version for some reason, there could be corresponding "crypto ca ..." config or none of these commands. But with an actual IOS, it would be normal to have this trustpoint-config on the device.

clybumat1 · ‎01-31-2017

Thanks Karsten. It was the "ip http secure-server" command that generated the crypto command and key.