Solved: crypto pki -

svaishya20 · ‎12-07-2011

Hi all,

I have question about thsi Crypto Pki - can any one explain.

Do we need to install this thing on router or switch or its already installed and whats the use of it ?

crypto pki trustpoint TP-self-signed-XXXXXXXXXX

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXX

revocation-check none

rsakeypair TP-self-signed-XXXXXXXXXX

!

!

crypto pki certificate chain TP-self-signed-XXXXXXXXXX

certificate self-signed 01

Thanks

Saurabh

johnlloyd_13 · ‎12-11-2011

hi,

when you issue the command

ip http secure-server

from global config, it will auto generate a 1024 bit RSA keys. use the

show crypto key mypubkey rsa

command to view the key pair generated. see below.

Router(config)#ip http secure-server

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Router(config)#

*Dec  12 15:58:51.651: %SSH-5-ENABLED: SSH 1.99 has been enabled

*Dec  12 15:58:54.819: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate




Router(config)#do show crypto key mypubkey rsa

% Key pair was generated at: 15:58:51 UTC Dec 12 2011

Key name: TP-self-signed-4294967295

Usage: General Purpose Key

Key is not exportable.

Key Data:

  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C16AAA

  FD901E7E C079C767 793C26A1 F70E516D F30A4EBB C03F4F11 0F3101A9 43EC8026

  23E8563B 373FDBBD EC304E73 8F9D6276 6F3A38A4 6924C402 77549549 158710A9

  0EA8C7A3 535FD82E 7BD6F309 205A2245 2311D8D4 77F49F08 76C1735A C47B45D7

  D31EF9BD 698AE974 0A0AFB4A 47F98257 B6944E8F 362492F7 36AAD944 99020301 0001

% Key pair was generated at: 15:58:54 UTC Dec 12 2011

Key name: TP-self-signed-4294967295.server

Usage: Encryption Key

Key is not exportable.

Key Data:

  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D17F93 C1CB808A

  A43F63F5 4A2DBED5 F7222CDA 73C582DF 649F7DDF C5B6A7C9 BBA7EAC0 62B02791

  D47F6AEB DED9AD82 30B3D7BF 69D5444E 5E868126 7BB45012 5305422B 9001D4CF

  C383A90A 1615929C 8FF4AA3E 7CD195FD 48D7FB76 173D7BAA 15020301 0001

View solution in original post

Richard Burts · ‎12-12-2011

Saurabh

Let me try to explain this from a perspective slightly different from John. The crypto pki trustpoint that you ask about is part of implementing an SSL certificate. One of the things that requires an SSL certificate is enabling the HTTP Secure Server feature in the IOS router. Other things that would require an SSL certificate would be things like configuring an IOS device for Remote Access VPN using SSL for VPN.

You can obtain a SSL certificate from a public certificate authority and install it on the IOS device. And if the device needs a SSL certificate and does not have one installed then it will generate a self signed certificate, which is what happened on the router that you asked about.

If you connect to the IOS device using SSL transport - such as using your browser to connect to the HTTP Secure Server on the IOS device - then the browser will check on the certificate to determine whether it can be trusted. If the device has a public certificate then it is trusted and the browser will connect. If the certificate is not public then the browser will probably generate a warning that it does not trust the certificate. You can respond to the warning and tell the browser to connect and it will. So the connection works, but you do usually get the warning message when the device has a self signed certificate.

So to answer your questions:

- the use of the crypto pki trustpoint is that it enables a SSL certificate which is required for certain features such as the Secure Server (which is usually enabled by default).

- you can install a public certificate if one is needed. But if there is not a public certificate and the IOS device needs one then it will generate its own self signed certificate.

- so unless there is a reason why you want a public certificate you do not need to do anything special or do any special installation. The router will take care of it for you automatically.

HTH

Rick

HTH

Rick

View solution in original post

johnlloyd_13 · ‎12-08-2011

hi,

this was generated when the

ip http secure-server

command was executed. it's basically used for HTTPS authentication.

if you're not using this feature, it can be removed by issuing the below command:

Router#show crypto key mypubkey rsa

Router(config)#crypto key zeroize rsa

svaishya20 · ‎12-11-2011

hi John,

thanks for replying.

if i have to intstall it then whaen what information do i need like RSA key ?

johnlloyd_13 · ‎12-11-2011

hi,

when you issue the command

ip http secure-server

from global config, it will auto generate a 1024 bit RSA keys. use the

show crypto key mypubkey rsa

command to view the key pair generated. see below.

Router(config)#ip http secure-server

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Router(config)#

*Dec  12 15:58:51.651: %SSH-5-ENABLED: SSH 1.99 has been enabled

*Dec  12 15:58:54.819: %PKI-4-NOAUTOSAVE: Configuration was modified.  Issue "write memory" to save new certificate




Router(config)#do show crypto key mypubkey rsa

% Key pair was generated at: 15:58:51 UTC Dec 12 2011

Key name: TP-self-signed-4294967295

Usage: General Purpose Key

Key is not exportable.

Key Data:

  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C16AAA

  FD901E7E C079C767 793C26A1 F70E516D F30A4EBB C03F4F11 0F3101A9 43EC8026

  23E8563B 373FDBBD EC304E73 8F9D6276 6F3A38A4 6924C402 77549549 158710A9

  0EA8C7A3 535FD82E 7BD6F309 205A2245 2311D8D4 77F49F08 76C1735A C47B45D7

  D31EF9BD 698AE974 0A0AFB4A 47F98257 B6944E8F 362492F7 36AAD944 99020301 0001

% Key pair was generated at: 15:58:54 UTC Dec 12 2011

Key name: TP-self-signed-4294967295.server

Usage: Encryption Key

Key is not exportable.

Key Data:

  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D17F93 C1CB808A

  A43F63F5 4A2DBED5 F7222CDA 73C582DF 649F7DDF C5B6A7C9 BBA7EAC0 62B02791

  D47F6AEB DED9AD82 30B3D7BF 69D5444E 5E868126 7BB45012 5305422B 9001D4CF

  C383A90A 1615929C 8FF4AA3E 7CD195FD 48D7FB76 173D7BAA 15020301 0001

Richard Burts · ‎12-12-2011

Saurabh

Let me try to explain this from a perspective slightly different from John. The crypto pki trustpoint that you ask about is part of implementing an SSL certificate. One of the things that requires an SSL certificate is enabling the HTTP Secure Server feature in the IOS router. Other things that would require an SSL certificate would be things like configuring an IOS device for Remote Access VPN using SSL for VPN.

You can obtain a SSL certificate from a public certificate authority and install it on the IOS device. And if the device needs a SSL certificate and does not have one installed then it will generate a self signed certificate, which is what happened on the router that you asked about.

If you connect to the IOS device using SSL transport - such as using your browser to connect to the HTTP Secure Server on the IOS device - then the browser will check on the certificate to determine whether it can be trusted. If the device has a public certificate then it is trusted and the browser will connect. If the certificate is not public then the browser will probably generate a warning that it does not trust the certificate. You can respond to the warning and tell the browser to connect and it will. So the connection works, but you do usually get the warning message when the device has a self signed certificate.

So to answer your questions:

- the use of the crypto pki trustpoint is that it enables a SSL certificate which is required for certain features such as the Secure Server (which is usually enabled by default).

- you can install a public certificate if one is needed. But if there is not a public certificate and the IOS device needs one then it will generate its own self signed certificate.

- so unless there is a reason why you want a public certificate you do not need to do anything special or do any special installation. The router will take care of it for you automatically.

HTH

Rick

HTH

Rick

johnlloyd_13 · ‎12-12-2011

Hi Rick,

This is good stuff! I couldn't explain far better than you sir (+5).

Sent from Cisco Technical Support iPhone App

Richard Burts · ‎12-12-2011

John

Thank you for the kind words (and for the points). I have learned to pay attention to your posts in the forum and recognize that you frequently have a good point to make on issues being discussed. Keep up the good work

HTH

Rick

HTH

Rick

svaishya20 · ‎12-13-2011

Hi Guys,

Thanks for explaining it so nicely.

Thanks
Saurabh