Unintentional pki key generation when I want only rsa key generation

Answered Question
Apr 9th, 2008

Hi there,

Serveral times now (once on a 2960 and once on a 3560) I have generated RSA keys for use with ssh by issuing the following command #crypto key generate rsa general-keys modulus 2048 .

The rsa keys are generated successfully and ssh to the switch works. HOWEVER when I reload the switch it generates its own pki self signed keys as well.

These pki keys do not present themselves in the config until after the reload of the switch. I don't know why these pki keys are being generated. I am not intentionally configuring the switch to generate pki keys. So I an unclear why this is happening. Can anyone tell me what I am doing wrong? Thanks for any info.

I have this problem too.
0 votes
Correct Answer by hadbou about 8 years 9 months ago

If a CA trustpoint is not configured for the device running the HTTPS server, the server certifies itself

and generates the needed RSA key pair.This is why the key pair is generated automatically after reload.

check if "hostname" and "domain names" and "CA TRUSTPOINT" are configured using the

command "show running-config".

for more info on Configuring a CA Trustpoint and the Switch for Secure Socket Layer HTTP refer:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/2960SCG.pdf

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
hadbou Tue, 04/15/2008 - 10:09

If a CA trustpoint is not configured for the device running the HTTPS server, the server certifies itself

and generates the needed RSA key pair.This is why the key pair is generated automatically after reload.

check if "hostname" and "domain names" and "CA TRUSTPOINT" are configured using the

command "show running-config".

for more info on Configuring a CA Trustpoint and the Switch for Secure Socket Layer HTTP refer:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/2960SCG.pdf

pgarciaCCO Tue, 04/15/2008 - 10:59

Hadbou,

Thank you for responding with an answer to my question and providing the URL where I can read more information. It is appreciated.

Pete.

Actions

This Discussion