Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unintentional pki key generation when I want only rsa key generation

Hi there,

Serveral times now (once on a 2960 and once on a 3560) I have generated RSA keys for use with ssh by issuing the following command #crypto key generate rsa general-keys modulus 2048 .

The rsa keys are generated successfully and ssh to the switch works. HOWEVER when I reload the switch it generates its own pki self signed keys as well.

These pki keys do not present themselves in the config until after the reload of the switch. I don't know why these pki keys are being generated. I am not intentionally configuring the switch to generate pki keys. So I an unclear why this is happening. Can anyone tell me what I am doing wrong? Thanks for any info.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Unintentional pki key generation when I want only rsa key ge

If a CA trustpoint is not configured for the device running the HTTPS server, the server certifies itself

and generates the needed RSA key pair.This is why the key pair is generated automatically after reload.

check if "hostname" and "domain names" and "CA TRUSTPOINT" are configured using the

command "show running-config".

for more info on Configuring a CA Trustpoint and the Switch for Secure Socket Layer HTTP refer:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/2960SCG.pdf

2 REPLIES
Bronze

Re: Unintentional pki key generation when I want only rsa key ge

If a CA trustpoint is not configured for the device running the HTTPS server, the server certifies itself

and generates the needed RSA key pair.This is why the key pair is generated automatically after reload.

check if "hostname" and "domain names" and "CA TRUSTPOINT" are configured using the

command "show running-config".

for more info on Configuring a CA Trustpoint and the Switch for Secure Socket Layer HTTP refer:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/2960SCG.pdf

New Member

Re: Unintentional pki key generation when I want only rsa key ge

Hadbou,

Thank you for responding with an answer to my question and providing the URL where I can read more information. It is appreciated.

Pete.

193
Views
0
Helpful
2
Replies