Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

crypto pki trustpoint TP-self-signed

Hi,

I have a core switch(4506e) connected to 6 edge switches(2960)..

Each switch is configured with crypto pki trustpoint TP-self-signed

WHat is this exactly and whats its use?

Also, when i connect other 2960 with core, it automatically takes this crypto config..

I dont understand this/.

Help me on this

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: crypto pki trustpoint TP-self-signed

Hello Vishal,

the command is a security command related to PKI = public key infrastructure.

The command defines an object that can be trusted (trustpoint) with name TP-self-signed that roughly means a security certifcate is locally generated

This should be a default of newer IOS images in order to prepare the devices for secure management via for example SSH and the use of certificates

in other words if you are managing your devices with telnet only, these commands have no effect in your scenario.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c5.html#GUID-0447E1FC-0851-4A3F-A727-8CAEEFB84A62

Edit:

the following is an example of a series of commands in a C1811 router taken from another thread

crypto pki trustpoint TP-self-signed-4147111382

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4147111382

revocation-check none

rsakeypair TP-self-signed-4147111382

!


Hope to help

Giuseppe

8 REPLIES
Hall of Fame Super Silver

Re: crypto pki trustpoint TP-self-signed

Hello Vishal,

the command is a security command related to PKI = public key infrastructure.

The command defines an object that can be trusted (trustpoint) with name TP-self-signed that roughly means a security certifcate is locally generated

This should be a default of newer IOS images in order to prepare the devices for secure management via for example SSH and the use of certificates

in other words if you are managing your devices with telnet only, these commands have no effect in your scenario.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c5.html#GUID-0447E1FC-0851-4A3F-A727-8CAEEFB84A62

Edit:

the following is an example of a series of commands in a C1811 router taken from another thread

crypto pki trustpoint TP-self-signed-4147111382

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4147111382

revocation-check none

rsakeypair TP-self-signed-4147111382

!


Hope to help

Giuseppe

New Member

crypto pki trustpoint TP-self-signed

hi

Giuseppe,

Thanks for the reply, it helped me.

We use ssh to manage switches

This is the the automatic configuration that switch does itself or we have to do it

can we remove this config and if removed what will happen?

Hall of Fame Super Silver

crypto pki trustpoint TP-self-signed

Hello Vishal,

because you are using SSH to manage the switches and it is not clear if authentication is based on certificates or other means I would not remove those commands from your devices

Hope to help

Giuseppe

New Member

crypto pki trustpoint TP-self-signed

Hi All,

I have virtual 3640 router on GNS3 and trying to discover it on CCP but it fails with security certificate rejected. How do I fix this as the example on cisco help to type commands about "TP-self-signed xxxxx" do not work, I obviously need specific wording for my setup? Can anyone help please. Thanks

New Member

Dear Giuseppe Larosa

Dear Giuseppe Larosa

I have 841 router, after factory reset i unable to find "crypto pki certificate chain TP-self-signed"

How can I generate "crypto pki certificate" please guide.

as per your above comment "TP-self-signed-4147111382" how can i Find this number for my router.

current running confing I can't see crypto pki certificate.

Thanks in advance.

New Member

Re: Dear Giuseppe Larosa

Exactly - that is my question - how do we find out the number to use in the

crypto pki trustpoint TP-self-signed-1234567890

command?  It isn't the serial number... the SN is in hex and has 11 characters.

How do we determine the 10-digit number to use with the above command?

Many thanks,

Sam

New Member

Re: Dear Giuseppe Larosa


Sam Sanders wrote:

Exactly - that is my question - how do we find out the number to use in the

crypto pki trustpoint TP-self-signed-1234567890

command?  It isn't the serial number... the SN is in hex and has 11 characters.

How do we determine the 10-digit number to use with the above command?

Many thanks,

Sam


I was also looking for that, spending 3 hours on internet to find a solution. 

I didn't want to just copy/paste configuration from another CISCO switch.

My problem was to find out how to get these lines : 

crypto pki trustpoint TP-self-signed-2981184384
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2981184384
revocation-check none
rsakeypair TP-self-signed-2981184384
!
!
crypto pki certificate chain TP-self-signed-2981184384
certificate self-signed 01

 

In fact, the solution is so simple...

Just tape : 

conf t 
ip http secure-server

 

Do a show run, and you will se the TP-self-signed number and all the rest.... 

 

 

New Member

Re: Dear Giuseppe Larosa

Thanks for this.

I'm in the process of swapping out a switch from our network. Just couldn't figure out how those keys were generated on the old switch. I was sure it wasn't SSH....  but did not think to check if it was HTTPS. Your post really helped...

Thanks.

30401
Views
10
Helpful
8
Replies
CreatePlease to create content