Solved: Change the certificate used by a Cisco 3850

William Coats · ‎10-04-2013

I have a new 3850 L3 switch. It had a self-signed certificate installed when I first booted the switch. The certificate appears to be either 512 or 1024 in length. I would like to create a key that is 2048 in length. I can issue the crypto key generate rsa command and specify the 2048 length and I get a new cert. I just can't figure out hw to make the new cert as the active cert.

Here is the configuration section from the switch when it was first started:

crypto pki trustpoint TP-self-signed-127070658

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-127070658

revocation-check none

rsakeypair TP-self-signed-127070658

!

crypto pki certificate chain TP-self-signed-127070658

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

When I create the new cert and then commit it with the copy running-config startup-config and then reload, it will show that the new cert is stored in NVRAM:private-config, but it doesn't show the cert when I cd to nvram: and issue the dir command. What is the proper sequence to get the new cert to be used.

Here is the results of the dir command:

2049 -rw- 1897 <no date> startup-config

2050 ---- 3821 <no date> private-config

2051 -rw- 1897 <no date> underlying-config

1 ---- 0 <no date> rf_cold_starts

2 -rw- 1079 <no date> cpu_trap.eci

4 -rw- 1072 <no date> cpu_threshold_trap.eci

6 -rw- 886 <no date> memory_trap.eci

7 -rw- 858 <no date> rf_trap.eci

8 -rw- 3123 <no date> wireless_trap.eci

11 -rw- 270 <no date> ma_trap_keyword

12 ---- 86 <no date> persistent-data

14 -rw- 578 <no date> IOS-Self-Sig#1.cer

15 -rw- 0 <no date> ifIndex-table

William Coats

Marvin Rhoads · ‎10-04-2013

I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.

1. generate a 2048-bit rsa keypair:

seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key

2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair

seclab-3650(config)#cry pki trustpoint 2048-bit-TP

seclab-3650(ca-trustpoint)#enrollment selfsigned

seclab-3650(ca-trustpoint)#usage ssl-server

seclab-3650(ca-trustpoint)#on nvram:

seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key

seclab-3650(ca-trustpoint)#exit

3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.

seclab-3650(config)#crypto pki enroll 2048-bit-TP

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

seclab-3650(config)#

4. tell your ip http secure-server to use this trustpoint

seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP

Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:

View solution in original post

Marvin Rhoads · ‎10-04-2013

I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.

1. generate a 2048-bit rsa keypair:

seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key

2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair

seclab-3650(config)#cry pki trustpoint 2048-bit-TP

seclab-3650(ca-trustpoint)#enrollment selfsigned

seclab-3650(ca-trustpoint)#usage ssl-server

seclab-3650(ca-trustpoint)#on nvram:

seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key

seclab-3650(ca-trustpoint)#exit

3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.

seclab-3650(config)#crypto pki enroll 2048-bit-TP

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]:

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

seclab-3650(config)#

4. tell your ip http secure-server to use this trustpoint

seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP

Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:

William Coats · ‎10-08-2013

That was what I was looking for. I was actually wanting a larger key for when we ssh into the key. Theses steps will do the same once I change the usage statement.

Thanks for the help.

Marvin Rhoads · ‎10-08-2013

You're welcome.

Please rate helpful replies and/or mark your question as answered.

Regards,

- Marvin

Sam Sanders · ‎09-12-2022

This is very helpful, thank you! However, when I perform these steps on a Cisco 3850 switch, I get the message, Attempt to request a certificate failed: status = FAIL. Any idea why this is happening? Do I need to try upgrading to a newer IOS? My version is: WS-C3850-24U SW Version: 03.06.07E SW Image: cat3k_caa-universalk9 Mode: INSTALL
Thanks very much.

joelzurita · ‎12-07-2023

did you find a solution for this? I am having the exact tame issue now

cisco-newbie2022 · ‎02-14-2024

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
%Error: No public key found - Abort.