cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1394
Views
5
Helpful
12
Replies
Highlighted
Beginner

Write MEM

I am trying to create a very SIMPLE - initial config for my 2960x switches and after some initial settings I perform a show run and all looks OK. Then when I perform a write mem and log back in, I see a major change to the running config with numerous crypto pki lines, approx 30 of them. What are they and why were they created without consent?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

   I know you see them in switches like the 2960, 3750,3560 etc ..  and they are there by default .  I believe this caused by using the command ip http secure-server (https)  function.  If you just use http instead it may not show up and I  if you turn it off i believe it may go away , no ip http secure-server . though i'm not sure if that will happen until you reload the box.If you are using the secure web interface then obviously you can't pull it .

View solution in original post

12 REPLIES 12
Highlighted

Are you using something like SSH?

The rest of the configuration is still there?

Highlighted
Beginner

You are seeing your RSA key used for SSH.  These are created with

 

#crypto key generate rsa mod <string length>

 

I think enabling SSH will automatically create the key with a short modulus.

Highlighted
Advisor

   If you are using a K9 version I think that gets created if you do not turn off the ip https server option .  Those are crypto information for that.  It is not any SSH key .

Highlighted
Beginner

I use telnet and web manager. This is no different than what I have been using for the past 8 years. I did not manually generate or create any keys. Why have I never seen this in my router and firewall configs?

The only K9 I know of was Dr. Who's companion...................

Highlighted

Which IOS version do you have?

Can you share a few example of those pki lines you are seeing.

Highlighted

V 15.0

 

crypto pki trustpoint TP-self-signed..............

enrollment selfsigned

subject-name cn

rsakeypair TP-sefl-signed...................

etc., etc., etc.,

Highlighted

   I know you see them in switches like the 2960, 3750,3560 etc ..  and they are there by default .  I believe this caused by using the command ip http secure-server (https)  function.  If you just use http instead it may not show up and I  if you turn it off i believe it may go away , no ip http secure-server . though i'm not sure if that will happen until you reload the box.If you are using the secure web interface then obviously you can't pull it .

View solution in original post

Highlighted

Glen, you were the correct answer. After extensive tests I found that if I turn off the default http secur-server, the pki hash does not appear on the show run config. Thanks also to Rolando for his help and concern. I guess my other Cisco components were of an age that secure-server was not defaulted.

I my case, https is unnecessary for use of device manager. I also find it extremely unnecessary within the IOS config run to display the 20-30 lines of PKI hash just because http secure-server is set to default. If this were improtant, why then does the IOS not display the full config of the interfaces as in "show interfaces" on the show run config? I guess I am just particular in this sense to maintain straight-forward and precise config documents for maintenance history. Not that the pki hash print may not be necessary, it is gee-wiz.

Thanks all...

 

 

Highlighted

The "secure" part of secure server means that it encrypts data for transmission using SSL rather than transmitting in clear text as http server does. When you use SSL it requires an SSL certificate. So when secure server is enabled (either done manually or by default) then the router generates an SSL certificate and includes that in the config.

 

The general principle is that when something is not part of the standard default config and it gets added then it shows up in the running config. The SSL certificate is not part of the standard running config. So when it is generated it shows up in the running config. And if you were using the secure server and if there were a problem about it and you were troubleshooting the problem then you might be very glad that the certificate was in the config because it would become part of your troubleshooting.

 

You may find it odd that secure server is on by default but that the certificate is not part of the default config. And maybe it is odd. But that is the way that IOS was created and that is part of what it does.

 

HTH

 

Rick

HTH

Rick
Highlighted

Thanks Rick but I understand all that. Secure Sockets Layer is just overkill in this case.

Highlighted
Beginner

OK, Here is what I did. I only added a username and added an IP and mask to vlan 1. I then did a write mem and then a reload. After the restart the config came back with the crypto pki lines. The Ip http secure-server is on by default, so I will try to disable,

 

 

Highlighted

Glen is quite right about where these lines came from (so +5 for Glen). You can disable the  secure server but I do not think that you really want to do this. In a previous post you told us "I use telnet and web manager." and I suspect that what you are calling web manager is what Cisco is calling secure server.

 

HTH

 

Rick

HTH

Rick
Content for Community-Ad