Crypto Certificates

Answered Question
Dec 13th, 2008

Folks:

How do I get rid of this crud?

crypto pki trustpoint TP-self-signed-230132480

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-230132480

revocation-check none

rsakeypair TP-self-signed-230132480

!

!

crypto pki certificate chain TP-self-signed-230132480

certificate self-signed 01

308202A3 3082020C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

5A312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32333031 33323438 30312830 2606092A 864886F7 0D010902

16196876 31737730 30342D63 30372E6E 6C732E66 6F72642E 636F6D30 1E170D39

33303330 31303030 3035355A 170D3230 30313031 30303030 30305A30 5A312E30

2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963

6174652D 32333031 33323438 30312830 2606092A 864886F7 0D010902 16196876

31737730 30342D63 30372E6E 6C732E66 6F72642E 636F6D30 819F300D 06092A86

4886F70D 01010105 0003818D 00308189 02818100 B7991078 386AE2C5 6ABBF5F0

1D5F1736 3681F7F1 D35CCF88 B93ACCA2 CBEAF47C 84C2DFB9 FF5C22AD 926F5CCF

27BE30A5 42EF9A79 DC67FEC7 449AE67C B2768768 2A54F2DD E55F46AD D2032727

I deleted it

hv1sw004-c07#conf t

Enter configuration commands, one per line. End with CNTL/Z.

hv1sw004-c07(config)#no crypto pki trustpoint TP-self-signed-230132480

% Removing an enrolled trustpoint will destroy all certificates

received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes

% Be sure to ask the CA administrator to revoke your certificates.

hv1sw004-c07(config)#

...saved the config, but they re-appear after rebooting the switch.

Why does it do that?

Im running /c3750-ipbasek9-mz.122-35.SE5.bin.

What gives?

Thanks

Correct Answer by ajagadee about 8 years 2 months ago

Victor,

The below configuration is a self-generated certificate when you enable Secure-HTTP (HTTPS) on the switch and there is no CA Trustpoint. If a CA trustpoint is not configured for the device running the HTTPS server (Switch), the server certifies itself and generates the needed RSA key pair.

show ip http server status - This command will display the status of the HTTP server to determine if the secure HTTP server feature is supported in the software. You should see one of these lines in the output:

HTTP secure server capability: Present

or

HTTP secure server capability: Not present

If you are not using HTTPS to this switch, you can remove this self-signed certificate by disabling the secure HTTP server (no ip http secure-server) and entering the no crypto pki trustpoint TP-self-signed-230132480 global configuration command.

If you later re-enable a secure HTTP server, a new self-signed certificate is generated.

Regards,

Arul

*Pls rate if it helps*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
williamsdo@si.edu Sun, 12/14/2008 - 13:46

Hi, I read your post and I can see this is a crypto certificate that was setup on your device using RSA keys this is a complicated subject. I believe the command is "crypto key generate rsa"

I don't know if there is a "no" commands for this or not, but have a look at the document I attached for more information.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrsapem.html

lamav Sun, 12/14/2008 - 15:18

Thanks for the link, although Im not sure what I should get out of it.

I can delete the certificates (see original post), and wipe them out of the configuration. However, once I reboot the switch, the certificates are generated again on their own.

It seems like the "trustpoint" is the switch itself -- not sure what the implications of that are.

My client has purchased hundreds of these 3750s in the last 3 months, and I have turned up almost all of them, with only a few exhibiting this behavior. I dont see any configuration command that may be causing this behavior. Moreover, all the other switches are running the same IOS version. So why the difference in behavior?

Jon Marshall Sun, 12/14/2008 - 16:13

Victor

Could you just check whether or not you have the domain name set on these switches. If the host name or domain name are not set then the switch will generate a self-signed cert on reboot.

Unlikely but might be worth a try.

Jon

Correct Answer
ajagadee Sun, 12/14/2008 - 19:31

Victor,

The below configuration is a self-generated certificate when you enable Secure-HTTP (HTTPS) on the switch and there is no CA Trustpoint. If a CA trustpoint is not configured for the device running the HTTPS server (Switch), the server certifies itself and generates the needed RSA key pair.

show ip http server status - This command will display the status of the HTTP server to determine if the secure HTTP server feature is supported in the software. You should see one of these lines in the output:

HTTP secure server capability: Present

or

HTTP secure server capability: Not present

If you are not using HTTPS to this switch, you can remove this self-signed certificate by disabling the secure HTTP server (no ip http secure-server) and entering the no crypto pki trustpoint TP-self-signed-230132480 global configuration command.

If you later re-enable a secure HTTP server, a new self-signed certificate is generated.

Regards,

Arul

*Pls rate if it helps*

lamav Mon, 12/15/2008 - 03:23

Jon:

That wasnt it, but thanks for the effort.

Arul:

That was the problem.

Thank you very much for your help. Much appreciated...

I rated your post.

Victor

Actions

This Discussion