04-03-2014 08:30 AM - edited 03-07-2019 06:58 PM
I am trying to create a very SIMPLE - initial config for my 2960x switches and after some initial settings I perform a show run and all looks OK. Then when I perform a write mem and log back in, I see a major change to the running config with numerous crypto pki lines, approx 30 of them. What are they and why were they created without consent?
Solved! Go to Solution.
04-03-2014 10:43 AM
I know you see them in switches like the 2960, 3750,3560 etc .. and they are there by default . I believe this caused by using the command ip http secure-server (https) function. If you just use http instead it may not show up and I if you turn it off i believe it may go away , no ip http secure-server . though i'm not sure if that will happen until you reload the box.If you are using the secure web interface then obviously you can't pull it .
04-03-2014 08:59 AM
Are you using something like SSH?
The rest of the configuration is still there?
04-03-2014 09:33 AM
You are seeing your RSA key used for SSH. These are created with
#crypto key generate rsa mod <string length>
I think enabling SSH will automatically create the key with a short modulus.
04-03-2014 09:41 AM
If you are using a K9 version I think that gets created if you do not turn off the ip https server option . Those are crypto information for that. It is not any SSH key .
04-03-2014 10:16 AM
I use telnet and web manager. This is no different than what I have been using for the past 8 years. I did not manually generate or create any keys. Why have I never seen this in my router and firewall configs?
The only K9 I know of was Dr. Who's companion...................
04-03-2014 10:29 AM
Which IOS version do you have?
Can you share a few example of those pki lines you are seeing.
04-03-2014 10:41 AM
V 15.0
crypto pki trustpoint TP-self-signed..............
enrollment selfsigned
subject-name cn
rsakeypair TP-sefl-signed...................
etc., etc., etc.,
04-03-2014 10:43 AM
I know you see them in switches like the 2960, 3750,3560 etc .. and they are there by default . I believe this caused by using the command ip http secure-server (https) function. If you just use http instead it may not show up and I if you turn it off i believe it may go away , no ip http secure-server . though i'm not sure if that will happen until you reload the box.If you are using the secure web interface then obviously you can't pull it .
04-04-2014 04:26 AM
Glen, you were the correct answer. After extensive tests I found that if I turn off the default http secur-server, the pki hash does not appear on the show run config. Thanks also to Rolando for his help and concern. I guess my other Cisco components were of an age that secure-server was not defaulted.
I my case, https is unnecessary for use of device manager. I also find it extremely unnecessary within the IOS config run to display the 20-30 lines of PKI hash just because http secure-server is set to default. If this were improtant, why then does the IOS not display the full config of the interfaces as in "show interfaces" on the show run config? I guess I am just particular in this sense to maintain straight-forward and precise config documents for maintenance history. Not that the pki hash print may not be necessary, it is gee-wiz.
Thanks all...
04-04-2014 04:52 AM
The "secure" part of secure server means that it encrypts data for transmission using SSL rather than transmitting in clear text as http server does. When you use SSL it requires an SSL certificate. So when secure server is enabled (either done manually or by default) then the router generates an SSL certificate and includes that in the config.
The general principle is that when something is not part of the standard default config and it gets added then it shows up in the running config. The SSL certificate is not part of the standard running config. So when it is generated it shows up in the running config. And if you were using the secure server and if there were a problem about it and you were troubleshooting the problem then you might be very glad that the certificate was in the config because it would become part of your troubleshooting.
You may find it odd that secure server is on by default but that the certificate is not part of the default config. And maybe it is odd. But that is the way that IOS was created and that is part of what it does.
HTH
Rick
04-04-2014 05:46 AM
Thanks Rick but I understand all that. Secure Sockets Layer is just overkill in this case.
04-03-2014 10:45 AM
OK, Here is what I did. I only added a username and added an IP and mask to vlan 1. I then did a write mem and then a reload. After the restart the config came back with the crypto pki lines. The Ip http secure-server is on by default, so I will try to disable,
04-03-2014 02:14 PM
Glen is quite right about where these lines came from (so +5 for Glen). You can disable the secure server but I do not think that you really want to do this. In a previous post you told us "I use telnet and web manager." and I suspect that what you are calling web manager is what Cisco is calling secure server.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide