Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

SSH configuration - CRYPTO commands

Hi all,

I`m new in a company and have to set up a new switch. I decided to help myself witch "show run" output from other, already functional switches. There`s one thing (section) I`m struggling witch, the output is as this:

crypto pki trustpoint TP-self-signed-323175841
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-323175841
 revocation-check none
 rsakeypair TP-self-signed-323175841

Could PLEASE anybody explain a step-by-step commands to get this output? Are these lines generated as a result of other commands entered or you gotta enter exactly those commands? And, what does the number mean? Do I get it somewhere or is it generated?

Thank you very much in advance.


VIP Super Bronze

HiThese will be generated for


These will be generated for you once you configure the switch with SSH

First lets find out if your IOS has SSH capability 

can post the output of

sh ver


New Member

Hi Reza,I`m no connected to

Hi Reza,

Thank you very much for your reply.

I`m not connected to the switch right now, but I know i does support the ssh capability as we have another about 20 switches of this exact model - WS-C2960X-24PS-L, which is a pretty new cisco model.

You`re mentioning that these will be generated once I configure SSH. Could you please give me step-by-step instructions? As far as I know the ssh configuration consists of "crypto key generate rsa" command, which, however doesn`t result in the "show run" output indicated in my first question.

New Member

I`m adding some (I hope

I`m adding some (I hope helpful) parts of the "show version" command:

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX3, RELEASE SOFTWARE (fc1)

BOOTLDR: C2960X Boot Loader (C2960X-HBOOT-M) Version 15.0(2r)EX, RELEASE SOFTWARE (fc1)

cisco WS-C2960X-24PS-L (APM86XXX) processor (revision A0) with 524288K bytes of memory.



For SSH to work you need keys

For SSH to work you need keys (as you mentioned already), domain name configured and hostname.

Configure that - test if SSH works and I think that you will notice self signed and generated certificate on that new switch.


HTH, Dragan
New Member

Hi Dragan,Do you mean only

Hi Dragan,

Do you mean only following commands?:

hostname .......

ip domain-name .............

crypto key generate rsa

I know that it`s the way of how to configure ssh, however I need to get the exactly same output (different number of course) as the output I`m showing in my first email.

I`ve tried it only with these commands in GNS3 router, however didn`t get the mentioning output in sho run.

Thank you,



GNS router maybe doesn't have

GNS router maybe doesn't have appropriate IOS on it...try on real hardware.



HTH, Dragan
New Member

Dragan,I`ve just tested it on


I`ve just tested it on Cisco 2950 switch. To my surpise the output was there without me putting it there. However, to test it, I entered:

no crypto pki trustpoint TP-self-signed-(number) after which it was gone. When trying to put it back, i typed commands you suggested:

(hostname, ip domain-name) and crypto key generate rsa (commands for SSH to work).

But didn`t manage to get it back to my "sho run" output. What am I doing wrong? What am I missing?

Thank you a lot for the key for that,


New Member

Anybody has any idea how to

Anybody has any idea how to get the required output in "sho run"? Please, I need to finish the setting up till the end of the week.

Thank you,


New Member

Thank you a lot Dragan,"ip

Thank you a lot Dragan,

"ip http secure-server" - that`s what i was missing. I saw this command on internet a lot when searching but didn`t thought that`d be the last piece I need. I just didn`t see the "relationship".

Thanks again,



Can you do "crypto key rsa

Can you do "crypto key rsa zeroize" command also (beside removing trustpoint as you already do). Then create rsa keys again. Then try adding "ip http secure-server" - i think it will generate self signed certificate to use with https on switch.

BTW these self signed certificates are part of newer IOSes because cisco now prepare them for you for using with for ie SSH etc...



HTH, Dragan
CreatePlease to create content