Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Change the certificate used by a Cisco 3850

I have a new 3850 L3 switch. It had a self-signed certificate installed when I first booted the switch. The certificate appears to be either 512 or 1024 in length. I would like to create a key that is 2048 in length. I can issue the crypto key generate rsa command and specify the 2048 length and I get a new cert. I just can't figure out hw to make the new cert as the active cert.

Here is the configuration section from the switch when it was first started:

crypto pki trustpoint TP-self-signed-127070658

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-127070658

revocation-check none

rsakeypair TP-self-signed-127070658

!

!

crypto pki certificate chain TP-self-signed-127070658

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

When I create the new cert and then commit it with the copy running-config startup-config and then reload, it will show that the new cert is stored in NVRAM:private-config, but it doesn't show the cert when I cd to nvram: and issue the dir command. What is the proper sequence to get the new cert to be used.

Here is the results of the dir command:

2049  -rw-        1897                    <no date>  startup-config

2050  ----        3821                    <no date>  private-config

2051  -rw-        1897                    <no date>  underlying-config

    1  ----           0                    <no date>  rf_cold_starts

    2  -rw-        1079                    <no date>  cpu_trap.eci

    4  -rw-        1072                    <no date>  cpu_threshold_trap.eci

    6  -rw-         886                    <no date>  memory_trap.eci

    7  -rw-         858                    <no date>  rf_trap.eci

    8  -rw-        3123                    <no date>  wireless_trap.eci

   11  -rw-         270                    <no date>  ma_trap_keyword

   12  ----          86                    <no date>  persistent-data

   14  -rw-         578                    <no date>  IOS-Self-Sig#1.cer

   15  -rw-           0                    <no date>  ifIndex-table

William Coats

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Change the certificate used by a Cisco 3850

I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.

1. generate a 2048-bit rsa keypair:

seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key

2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair

seclab-3650(config)#cry pki trustpoint 2048-bit-TP     

seclab-3650(ca-trustpoint)#enrollment selfsigned

seclab-3650(ca-trustpoint)#usage ssl-server

seclab-3650(ca-trustpoint)#on nvram:

seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key

seclab-3650(ca-trustpoint)#exit

3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.

seclab-3650(config)#crypto pki enroll 2048-bit-TP      

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

seclab-3650(config)#

4. tell your ip http secure-server to use this trustpoint

seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP

Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:

3 REPLIES
Hall of Fame Super Silver

Re: Change the certificate used by a Cisco 3850

I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.

1. generate a 2048-bit rsa keypair:

seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key

2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair

seclab-3650(config)#cry pki trustpoint 2048-bit-TP     

seclab-3650(ca-trustpoint)#enrollment selfsigned

seclab-3650(ca-trustpoint)#usage ssl-server

seclab-3650(ca-trustpoint)#on nvram:

seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key

seclab-3650(ca-trustpoint)#exit

3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.

seclab-3650(config)#crypto pki enroll 2048-bit-TP      

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

seclab-3650(config)#

4. tell your ip http secure-server to use this trustpoint

seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP

Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:

New Member

Change the certificate used by a Cisco 3850

That was what I was looking for. I was actually wanting a larger key for when we ssh into the key. Theses steps will do the same once I change the usage statement.

Thanks for the help.

Hall of Fame Super Silver

Re: Change the certificate used by a Cisco 3850

You're welcome.

Please rate helpful replies and/or mark your question as answered.

Regards,

- Marvin

3281
Views
10
Helpful
3
Replies
CreatePlease to create content