Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
2
Replies

Unintentional pki key generation when I want only rsa key generation

Go to solution
pgarciaCCO
Level 1
Level 1

‎04-09-2008 01:12 PM - edited ‎03-05-2019 10:18 PM

Hi there,

Serveral times now (once on a 2960 and once on a 3560) I have generated RSA keys for use with ssh by issuing the following command #crypto key generate rsa general-keys modulus 2048 .

The rsa keys are generated successfully and ssh to the switch works. HOWEVER when I reload the switch it generates its own pki self signed keys as well.

These pki keys do not present themselves in the config until after the reload of the switch. I don't know why these pki keys are being generated. I am not intentionally configuring the switch to generate pki keys. So I an unclear why this is happening. Can anyone tell me what I am doing wrong? Thanks for any info.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hadbou
Level 5
Level 5

‎04-15-2008 10:09 AM

If a CA trustpoint is not configured for the device running the HTTPS server, the server certifies itself

and generates the needed RSA key pair.This is why the key pair is generated automatically after reload.

check if "hostname" and "domain names" and "CA TRUSTPOINT" are configured using the

command "show running-config".

for more info on Configuring a CA Trustpoint and the Switch for Secure Socket Layer HTTP refer:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/2960SCG.pdf

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hadbou
Level 5
Level 5

‎04-15-2008 10:09 AM

If a CA trustpoint is not configured for the device running the HTTPS server, the server certifies itself

and generates the needed RSA key pair.This is why the key pair is generated automatically after reload.

check if "hostname" and "domain names" and "CA TRUSTPOINT" are configured using the

command "show running-config".

for more info on Configuring a CA Trustpoint and the Switch for Secure Socket Layer HTTP refer:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/2960SCG.pdf

0 Helpful

Go to solution
pgarciaCCO
Level 1
Level 1
In response to hadbou

‎04-15-2008 10:59 AM

Hadbou,

Thank you for responding with an answer to my question and providing the URL where I can read more information. It is appreciated.

Pete.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card