Install Web Admin Certificates on Catalyst 9000 Switches

Available Languages

Download Options

  • PDF     (40.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (84.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (73.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 10, 2025
Document ID:223258

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the process to generate, download, and install certificates on Catalyst 9000 series switches.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • How to configure Catalyst 9000 series switches
    • How to sign Certificates using Microsoft Windows Server
    • Public Key Infrastructure (PKI) and digital certificates

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Catalyst 9300 Switch, Cisco IOS® XE version 17.12.4
    • Microsoft Windows Server 2022

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    This document provides a step-by-step guide for generating a Certificate Signing Request (CSR), getting it signed by a Certification Authority (CA), and installing the resulting certificate (along with the CA certificate) on a Catalyst 9000 switch.

    The goal is to enable secure web (HTTPS) administration of the switch using a trusted certificate, ensuring compatibility with modern web browsers and compliance with organizational security policies.

    Configure

    This section provides a detailed workflow for generating, signing, and installing a web admin certificate on a Catalyst 9000 switch. Each step includes relevant CLI commands, explanations, and example outputs.

    Step 1: Define a Key

    Generate a general-purpose RSA key pair and use it to secure the certificate. The key must be exportable and can be sized according to security needs (1024 to 4096 bits).

    device(config)#crypto key generate rsa general-keys label csr-key exportable

    Example output when prompted for modulus size:

    The name for the keys will be: csr-key
Choose the size of the key modulus in the range of 512 to 4096 for your  General Purpose Keys. Choosing a key modulus greater than 512 may take  a few minutes.
How many bits in the modulus [1024]: 4096
% Generating 4096 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 4 seconds)

    Step 2: Generate a Certificate Signing Request (CSR)

    Configure a trustpoint on the switch for the web admin certificate, specifying enrollment via terminal, disabling revocation check, and providing identifying information (subject name, key, and subject alternative names).

    device(config)#crypto pki trustpoint webadmin-TP
device(ca-trustpoint)#enrollment terminal pem
device(ca-trustpoint)#revocation-check none
device(ca-trustpoint)#subject-name C=SJ, ST=CA, L=CA, O=TAC, OU=LANSW, CN=myc9300.local-domain
device(ca-trustpoint)#rsakeypair csr-key
device(ca-trustpoint)#subject-alt-name mywebadmin.com
device(ca-trustpoint)#exit

    Enroll the trustpoint to generate the CSR. You must be prompted for various options; providing "yes" or "no" as needed. The certificate request must be displayed on the terminal.

    device(config)#crypto pki enroll webadmin-TP

    Example output:

    % Start certificate enrollment ..
% The subject name in the certificate will include: C=SJ, ST=CA, L=CA, O=TAC, OU=LANSW, CN=myc9300.local-domain
% The subject name in the certificate will include: C9300.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: yes
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no

    Parameters available for subject name configuration:

    • C: Country, two capital letters only ( US)
    • ST: State or Province Name
    • L: Location Name (city)
    • O: Organization Name (company)
    • OU: Organizational Unit Name (department/section)
    • CN: Common Name (FQDN or IP address to be accessed)

    Step 3: Submit the CSR to the Certification Authority (CA)

    Copy the full CSR string (including the BEGIN and END lines) and submit it to your CA for signing.

    -----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----

    If you use a Microsoft Windows Server CA, download the signed certificate in Base64 format. You typically receive the signed device certificate and possibly a Root CA certificate.

    Step 4: Authenticate Root CA Base64 Certificate

    Install the CA’s certificate (in Base64 format) onto the switch to establish trust in the CA that issued your device certificate.

    device(config)#crypto pki authenticate webadmin-TP

    Paste the CA certificate (including the BEGIN and END lines) when prompted. Example:

    Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Certificate has attributes:
      Fingerprint MD5: C7224F3A A9B0426A FDCC50E6 8A04583E
      Fingerprint SHA1: 9B31C319 A515AC41 0114EA43 33716E8B 472A4EF5
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

    Step 5: Authenticate Device Base64 Certificate

    Authenticate the device's signed certificate against the installed CA certificate.

    device(config)#crypto pki trustpoint webadmin-TP
device(ca-trustpoint)#chain-validation stop
device(ca-trustpoint)#crypto pki authenticate webadmin-TP

    When prompted, paste in the device certificate:

    Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Certificate has the following attributes: 
Fingerprint MD5: DD05391A 05B62573 A38C18DD CDA2337C 
Fingerprint SHA1: 596DD2DC 4BF26768 CFB14546 BC992C3F F1408809 
Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted. 
% Certificate successfully imported

    Step 6: Import Device Signed Certificate on the Catalyst 9000 Switch

    Import the Base64 signed device certificate into the trustpoint.

    device(config)#crypto pki import webadmin-TP certificate

    Paste the certificate when prompted:

    Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
< 9300 device certificate >
-----END CERTIFICATE-----

% Router Certificate successfully imported

    At this point, the device certificate is imported to the switch along with all relevant CA(s), and the certificate is ready for use, including GUI (HTTPS) access.

    Step 7: Use the New Certificate

    Associate the trustpoint with the HTTP secure server and enable HTTPS access on the switch.

    device(config)#ip http secure-trustpoint webadmin-TP
    device(config)#no ip http secure-server
    device(config)#ip http secure-server

    Step 8: How to Ensure the Certificate is Trusted by Web Browsers

    • The certificate's Common Name (CN) or a Subject Alternative Name (SAN) must match the URL accessed by the browser.
    • The certificate must be within its validity period.
    • The certificate must be issued by a CA (or chain of CAs) whose root is trusted by the browser. The switch must provide the full certificate chain (except the root CA, which is typically already present in the browser's store).
    • If the certificate contains revocation lists, ensure the browser can download them and that the certificate's CN is not listed in any revocation list.

    Verify

    You can use these commands to verify the certificate configuration and current status:

    View the installed certificates and their status for a trustpoint:

    device#show crypto pki certificate webadmin-TP

    Example output:

    Certificate  Status: Available  
Certificate Serial Number (hex): 4700000129584BB4BAFA13EABB000000000129  
Certificate Usage: General Purpose  
Issuer:     cn=mitch-DC02-CA    dc=mitch    dc=local  
Subject:    Name: C9300.cisco.com    
            Serial Number: XXXXXXXXXX    
            cn=myc9300.local-domain    
            ou=LANSW    
            o=TAC    
            l=CA    
            st=CA    
            c=SJ    
            hostname=C9300.cisco.com
Validity Date:     
    start date: 05:09:42 UTC Jun 12 2025    
    end   date: 07:25:06 UTC Dec 16 2026  
Associated Trustpoints: webadmin-TP

CA Certificate  Status: Available  
Certificate Serial Number (hex): 101552448B9C2EBB488C40034C129F4A  
Certificate Usage: Signature  
Issuer:     cn=mitch-DC02-CA    dc=mitch    dc=local  
Subject:     cn=mitch-DC02-CA    dc=mitch    dc=local  
Validity Date:     
    start date: 07:15:06 UTC Dec 16 2021    
    end   date: 07:25:06 UTC Dec 16 2026  
Associated Trustpoints: webadmin-TP RootCA

    Verify the HTTPS server status and associated trustpoint:

    device#show ip http server secure status

    Example output:

    HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite:  rsa-aes-cbc-sha2 rsa-aes-gcm-sha2        
                                 dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 
                                 ecdhe-rsa-aes-cbc-sha2
                                 ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version:  TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: webadmin-TP
HTTP secure server peer validation trustpoint: 
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL

    Troubleshoot

    If you encounter issues during the certificate installation process, use this commands to enable debugging of PKI transactions. This is especially useful for diagnosing failures during certificate import or enrollment.

    device#debug crypto pki transactions

    Example of a successful scenario debug output:

    *Jun 12 05:16:03.531: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named C9300.cisco.com has been generated or imported by crypto-engine
*Jun 12 05:16:03.534: %CRYPTO-6-AUTOGEN: Generated new 2048 bit key pair
*Jun 12 05:16:03.556: CRYPTO_PKI: unlocked trustpoint RootCA, refcount is 0
*Jun 12 05:16:03.556: CRYPTO_PKI: using private key C9300.cisco.com for enrollment
*Jun 12 05:16:04.489: CRYPTO_PKI: Adding myc9300.local-domain to subject-alt-name field
*Jun 12 05:16:17.463: CRYPTO_PKI: using private key csr-key for enrollment
*Jun 12 05:18:32.378: CRYPTO_PKI: locked trustpoint webadmin-TP, refcount is 1
*Jun 12 05:19:15.464: CRYPTO_PKI: unlocked trustpoint webadmin-TP, refcount is 0
*Jun 12 05:19:15.470: CRYPTO_PKI: trustpoint webadmin-TP authentication status = 0
*Jun 12 05:19:15.472: CRYPTO_PKI: (A018E) Session started - identity not specified
*Jun 12 05:19:15.473: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
*Jun 12 05:19:15.473: CRYPTO_PKI: Found a subject match
*Jun 12 05:19:15.473: CRYPTO_PKI: (A018E) Check for identical certs
*Jun 12 05:19:15.473: CRYPTO_PKI: Found a issuer match
*Jun 12 05:19:15.473: CRYPTO_PKI: (A018E) Suitable trustpoints are: RootCA,
*Jun 12 05:19:15.473: CRYPTO_PKI: (A018E) Attempting to validate certificate using RootCA policy
*Jun 12 05:19:15.473: CRYPTO_PKI: (A018E) Using RootCA to validate certificate
*Jun 12 05:19:15.474: CRYPTO_PKI(make trusted certs chain)
*Jun 12 05:19:15.474: CRYPTO_PKI: Added 1 certs to trusted chain.
*Jun 12 05:20:05.555: CRYPTO_PKI: locked trustpoint webadmin-TP, refcount is 1
*Jun 12 05:20:25.734: CRYPTO_PKI: unlocked trustpoint webadmin-TP, refcount is 0
*Jun 12 05:20:25.735: CRYPTO_PKI(Cert Lookup) issuer="cn=mitch-DC02-CA,dc=mitch,dc=local" serial number= 10 15 52 44 8B 9C 2E BB 48 8C 40 03 4C 12 9F 4A
*Jun 12 05:20:25.735: CRYPTO_PKI: crypto_pki_get_cert_record_by_cert()
*Jun 12 05:20:25.735: CRYPTO_PKI: Found a cert match
*Jun 12 05:20:25.735: CRYPTO_PKI: crypto_pki_authenticate_tp_cert()
*Jun 12 05:20:25.735: CRYPTO_PKI: trustpoint webadmin-TP authentication status = 0
*Jun 12 05:20:32.094: PKI: Cert key-usage: Digital-Signature , Certificate-Signing , CRL-Signing
*Jun 12 05:20:32.096: CRYPTO_PKI: Notify subsystem about new certificate.
*Jun 12 05:20:32.097: CRYPTO_PKI: unlocked trustpoint webadmin-TP, refcount is 0
*Jun 12 05:21:50.789: CRYPTO_PKI: using private key csr-key for enrollment
*Jun 12 05:22:12.947: CRYPTO_PKI: make trustedCerts list for webadmin-TP

    Notes and Limitations

    • Cisco IOS® XE does not support CA certificates with a validity beyond 2099 (Cisco bug ID CSCvp64208 ).
    • Cisco IOS® XE does not support SHA256 message digest PKCS 12 bundles (SHA256 certs are supported, but not if the PKCS12 bundle itself is signed with SHA256) (Cisco bug ID CSCvz41428 ). This is fixed in 17.12.1.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    10-Jul-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Mitch Ascencio
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products