Renew Cisco Switch Self-Sign Certificate

This post mainly refer to Cisco Catalyst switches and this I have tested on production network without any issues. But again proceed with caution!!. Cisco recommend to have a CA trust point configured on all the Cisco devices for secure communication. But if you do not have one switch will fall back to a self-sign certificate which we need to renew over the time. This is the full article from Cisco https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html

Also great community article https://community.cisco.com/t5/networking-documents/a-self-signed-certificate-is-added-to-a-cisco-catalyst-switch/ta-p/3124222

Here are the steps for how to do it in short form,

*** SSH into the switch or console connect.

***show crypto pki certificates —– to get the certificates and show you all the certificates. This will show you all the switch certs and you will be able to locate expired one.

***Locate the ID of the cert that has expired date and it will usually show you something like TP-self-signed-51XXXXXX

***Switch to privilege mode

***no ip http secure-server ——-disable https server before do any renewal

*** no crypto pki trustpoint TP-self-signed-51XXXXX —- this id you were located running first command

***ip http secure-server ———re enables the https server and generates a new trustpoint and certificate

*** do show crypto pki certificates – check the new cert is there with new validity period

Then you are done.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s