- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2017 05:46 AM - edited 03-08-2019 09:07 AM
I am deploying a new 2960 and the config needs to be similar to the other switches in the environment. I noticed the other switches have the below command:
crypto pki trustpoint TP-self-signed-938572645
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-938572645
revocation-check none
rsakeypair TP-self-signed-938572645
!
!
crypto pki certificate chain TP-self-signed-938572645
The number in bold is unique on every switch. My question is, how do I determine what this number should be on the new switch? I assume that only a portion of the command will be used and the number is generated automatically.. But what portion? I know that messing around with crypto commands can lock me out of the switch, so I want to make sure I do this right.. lol
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2017 06:29 AM
The https-server is
sh run | inc TP-self-signed-938572645
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2017 06:08 AM
In general, you can just ignore these lines. Whenever you activate a function that needs a certificate (like the HTTPS-server), the device will configure itself a
Of
When there is a CA in your organization, then you could configure each switch with a certificate from that CA. That would also remove the cert-warnings when accessing the switch on the GUI.
Or another way: If you don't need any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2017 06:20 AM
Thanks for the reply. I'm trying to find something in the config that would be activating the function that would need a certificate, and I'm not seeing anything (no HTTPS-server.) It does have the transport input ssh command on the line vty. Could that be what is generating it?
Thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2017 06:29 AM
The https-server is
sh run | inc TP-self-signed-938572645
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2017 06:34 AM
I do have "ip http secure-server" command on the new switch, but the crypto lines are not there..
Output from command on completed switch:
sho run | incl TP-self-signed-938572645
crypto pki trustpoint TP-self-signed-938572645
rsakeypair TP-self-signed-938572645
crypto pki certificate chain TP-self-signed-938572645
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2017 06:43 AM
As far as I remember, that's a behavior of older (very old?) IOS versions. But if it's a new device, I would expect it to run something like 15.2 or 15.0. If you run an older version for some reason, there could be corresponding "crypto ca ..." config or none of these commands. But with an actual IOS, it would be normal to have this
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2017 11:10 AM
Thanks Karsten. It was the "ip http secure-server" command that generated the crypto command and key.
