Certificate appear in running config file on some 2950 & 2960 Catalist sw

Answered Question

Hi !


I notice we have :


crypto pki trustpoint TP-self-signed-658104832

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-658104832

revocation-check none

rsakeypair TP-self-signed-XXXXXXXXXX

!

!

crypto pki certificate chain TP-self-signed-658104832

certificate self-signed 01

3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 36353831 30343833

.

.

.

.

.

.

89E2E95E DD67B633 D97DEDC6 33D76F

quit


and in other switch none of those appear in there running configuration.


We always use the same commande to create certificate : "crypto key generate rsa general-keys modulus 1024"

from configuration terminal mode and all switches have the same IOS version on it.... we are always use a template to configure all of our switches and after that add some specific configuration to them depending the needs....


I notice the same switch last week was not have the certification in his running configuration and today the certificate appear on it.... the only thing I had on this switch is the loggin banner and the snmp-server location string.... which I think they have'nt any relation with switch certificate.


We have notice the same issue on our switch running 2950 plate-form

Correct Answer by Mark Yeates about 8 years 8 months ago

Yes you can remove these from the config. All you need to do is remove the certificate and trust point. You can just copy and paste the output below to remove the certificate from your config.



no crypto pki certificate chain TP-self-signed-658104832

no crypto pki trustpoint TP-self-signed-658104832


HTH,

Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Mon, 09/08/2008 - 08:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Christian


Have you perhaps enabled ip http server or ip http secure-server? I believe that these may bring the certificate information into the configuration.


HTH


Rick

I


have find a device on which the certificate is not in the running configuration. On that device the ip http server and ip http secure-server was disable before generation of the RSA key.


(I see you reason, in your previous post)

I have regenerate RSA key and now certificate appera in the running configuration, if I disable http server/secure regenate the RSA key and reload the switch the certificate is still appear in the running-config file but not in the startup config file.


Is it possible to make the certificate will not appear in the running config file after the http-server was enable/disable on the switch ? Without removed certificate on all switch and regenerate it after that ?


thanks a lot !!

Richard Burts Mon, 09/08/2008 - 09:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Christian


When the certificate has been generated I am not sure that it will go away just because you disable http server/secure-server. But if you disable secure-server and reload what happens? (or delete the certificate without needing to reload)


HTH


Rick

Hi !


If I only disable the http server/and secure-http server the certificate is left intact (same thing after the as reload)


Because we are using SSH to access to our switchs we need certificate on all switch.... if I want to removed RSA certificate I should

log to my switch to permit telnet

login in telnet session removed RSA certificate

(may be reload the switch)

recreate RSA certificate

permit only ssh for line vty session

log in ssh for saving my configuration....


I should do this process for all 2950 & 2960 switch (around 200 devices) I was hope a easiest way to make all of our running config appear same on all of our device but with definitly less administrative effort....

Christian,


Not 100% sure of the question and that may be due to the language barrier.


When you enter the "crypto key generate ..." command it will generate your keys. The command, when you save the config will become part of your startup-config. The key data does not. When you reboot or reload the startup config to the running-config, it will generate a new key pair. So if you were to download and look at the startup-config with a test editor, you will not see the key data.


Some IOS levels allow you to hide key data. You use the "archive" command followed by "hidekey" commands. Again, it depends upon your IOS level if that command is available and it realtively new.


If you use a template or script to configure your switches, all you would need is the "crypto key generate ..." (with your specific parameters) in the template or script.


If you want to remove the rsa key from the config, you only need to remove the "crypto key generate ..." line from the config. Upon reboot, the key will go away.


I hope this has answered your questions.



Richard Burts Mon, 09/08/2008 - 12:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Christian


The discussion provided by James is nice and is entirely focused on the RSA key functions, which is part of what you have been talking about. It makes me think that perhaps the discussion has changed focus and perhaps we need to clarify what we are talking about. As I understand it the original question was about the self signed certificate that is part of the config of some (but not most) of your devices. As the discussion has gone on it seems that we are talking more about RSA keys.


Note that the self signed certificate is different from RSA keys. RSA keys are certainly required for SSH. But the self signed certificate is not required to be able to do SSH.


So do you want a discussion about self signed certificate or about RSA keys?


HTH


Rick


Correct Answer
Mark Yeates Tue, 09/09/2008 - 07:53
User Badges:
  • Gold, 750 points or more

Yes you can remove these from the config. All you need to do is remove the certificate and trust point. You can just copy and paste the output below to remove the certificate from your config.



no crypto pki certificate chain TP-self-signed-658104832

no crypto pki trustpoint TP-self-signed-658104832


HTH,

Mark

Actions

This Discussion