10-04-2013 08:55 AM - edited 03-07-2019 03:50 PM
I have a new 3850 L3 switch. It had a self-signed certificate installed when I first booted the switch. The certificate appears to be either 512 or 1024 in length. I would like to create a key that is 2048 in length. I can issue the crypto key generate rsa command and specify the 2048 length and I get a new cert. I just can't figure out hw to make the new cert as the active cert.
Here is the configuration section from the switch when it was first started:
crypto pki trustpoint TP-self-signed-127070658
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-127070658
revocation-check none
rsakeypair TP-self-signed-127070658
!
!
crypto pki certificate chain TP-self-signed-127070658
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
When I create the new cert and then commit it with the copy running-config startup-config and then reload, it will show that the new cert is stored in NVRAM:private-config, but it doesn't show the cert when I cd to nvram: and issue the dir command. What is the proper sequence to get the new cert to be used.
Here is the results of the dir command:
2049 -rw- 1897 <no date> startup-config
2050 ---- 3821 <no date> private-config
2051 -rw- 1897 <no date> underlying-config
1 ---- 0 <no date> rf_cold_starts
2 -rw- 1079 <no date> cpu_trap.eci
4 -rw- 1072 <no date> cpu_threshold_trap.eci
6 -rw- 886 <no date> memory_trap.eci
7 -rw- 858 <no date> rf_trap.eci
8 -rw- 3123 <no date> wireless_trap.eci
11 -rw- 270 <no date> ma_trap_keyword
12 ---- 86 <no date> persistent-data
14 -rw- 578 <no date> IOS-Self-Sig#1.cer
15 -rw- 0 <no date> ifIndex-table
William Coats
Solved! Go to Solution.
10-04-2013 01:25 PM
I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.
1. generate a 2048-bit rsa keypair:
seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key
2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair
seclab-3650(config)#cry pki trustpoint 2048-bit-TP
seclab-3650(ca-trustpoint)#enrollment selfsigned
seclab-3650(ca-trustpoint)#usage ssl-server
seclab-3650(ca-trustpoint)#on nvram:
seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key
seclab-3650(ca-trustpoint)#exit
3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.
seclab-3650(config)#crypto pki enroll 2048-bit-TP
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]:
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
seclab-3650(config)#
4. tell your ip http secure-server to use this trustpoint
seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP
Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:
10-04-2013 01:25 PM
I was wondering how to do this myself so I took it on as small project on our lab 3650. The documentation left something to be desired but I finally figured it out.
1. generate a 2048-bit rsa keypair:
seclab-3650(config)#crypto key generate rsa modulus 2048 label 2048-bit-key
2. create a trustpoint specifying self-signed enrollment and telling the TP to use that keypair
seclab-3650(config)#cry pki trustpoint 2048-bit-TP
seclab-3650(ca-trustpoint)#enrollment selfsigned
seclab-3650(ca-trustpoint)#usage ssl-server
seclab-3650(ca-trustpoint)#on nvram:
seclab-3650(ca-trustpoint)#rsakeypair 2048-bit-key
seclab-3650(ca-trustpoint)#exit
3. enroll the trustpoint - at this point the switch will generate the 2048-bit certificate.
seclab-3650(config)#crypto pki enroll 2048-bit-TP
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]:
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
seclab-3650(config)#
4. tell your ip http secure-server to use this trustpoint
seclab-3650(config)#ip http secure-trustpoint 2048-bit-TP
Once I did all of that, I can go to the switch via https and see the 2048-bit key being used in the self-signed certificate. Click image below for larger view:
10-08-2013 09:20 AM
That was what I was looking for. I was actually wanting a larger key for when we ssh into the key. Theses steps will do the same once I change the usage statement.
Thanks for the help.
10-08-2013 10:19 AM
You're welcome.
Please rate helpful replies and/or mark your question as answered.
Regards,
- Marvin
09-12-2022 10:07 AM
This is very helpful, thank you! However, when I perform these steps on a Cisco 3850 switch, I get the message, Attempt to request a certificate failed: status = FAIL. Any idea why this is happening? Do I need to try upgrading to a newer IOS? My version is: WS-C3850-24U SW Version: 03.06.07E SW Image: cat3k_caa-universalk9 Mode: INSTALL
Thanks very much.
12-07-2023 03:38 PM
did you find a solution for this? I am having the exact tame issue now
02-14-2024 06:59 AM
Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
%Error: No public key found - Abort.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide