Crypto certs

EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
Hi all,

I was configuring a router at work (havent asked the boss about this problem yet and trying to be smart icon_wink.gif). There is a crypto certficate that I need to remove. A simple no command should be able to remove it, but when I SAVE the runnin-config and restart the router, the crypto certficate comes back....The sh run is output as follows :

crypto pki trustpoint TP-self-signed-2926387006
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2926387006
revocation-check none
rsakeypair TP-self-signed-2926387006
!
!
crypto pki certificate chain TP-self-signed-2926387006
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393236 33383730 3036301E 170D3037 30393235 32333334


So I issue commands :
(config)#no crypto pki trustpoint TP-self-signed-2926387006

--and--

(config)#no crypto pki certificate chain TP-self-signed-2926387006

The crypto cert should go away and does go away till I restart the router. When the router restarts either by issuing the reload command or powering it off/on, the certs come back. How do I REMOVE the certs PERMANENTLY

SOMEONE PLEASE HELP....
NSX, NSX, more NSX..

Blog >> http://virtual10.com

Comments

  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    To delete all of your router's RSA keys, use the crypto key zeroize rsa command in global configuration mode.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I think you'll need to use the "no ip http secure-server" command to remove the https server. If the router does not have a persistant certificate it will create a "self signed" certificate for SSL when it boots.
    The only easy day was yesterday!
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    mikej412 wrote:
    To delete all of your router's RSA keys, use the crypto key zeroize rsa command in global configuration mode.

    Mike, for some reason the router's RSA keys do NOT go away when I entered the command crypto key zeroize rsa command in global configuration mode. I saved the config, reloaded the router and the crypto seemed to have gone. Just to be on the safe side, I powered the router off/on and did a sh run again, and alas! the key was till there. Wonder why this is happening?? Btw, it is a 1800 series router, perhaps there is a different command for this series of Cisco gear.....

    Still need HELP.... icon_cry.gif
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    dtlokee wrote:
    I think you'll need to use the "no ip http secure-server" command to remove the https server. If the router does not have a persistant certificate it will create a "self signed" certificate for SSL when it boots.

    dtlokee, this one was a no-go too, still the self-signed certificate comes back.... icon_cry.gif

    I am sure there is a way around this problem.....
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    If you already had a self signed certificate when you disabled the https server, then issued a write mem to save the configr then reloaded, the certificate was saved as well. Try using the "crypto key zeroize rsa" as Mike suggested then reload again.
    The only easy day was yesterday!
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    Thanks mike and dtlokee....it has worked...I tried different combos of what u guys suggested and it HAS worked this time.....
    U guys are INDISPENSABLE....
    And btw, I am writing my CCNA (ICND) early next month, please wish me luck... :)
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    MobilTech wrote:
    Thanks mike and dtlokee....it has worked...I tried different combos of what u guys suggested and it HAS worked this time.....
    U guys are INDISPENSABLE....
    And btw, I am writing my CCNA (ICND) early next month, please wish me luck... :)

    Glad to hear it worked out for you. Good luck on the ICND, and I can assure you there will not be any questions on certificates :)
    The only easy day was yesterday!
Sign In or Register to comment.