Using a Cisco Router with a Self-Signed Certificate

For application development and testing, you can generate self-signed certificates to encrypt communications between your applications and the router. When you enter the transport type tls command, you can use the localcert local-trustpoint option to specify whether the router generates its own certificate or get its certificate from the local trustpoint:

  • If you explicitly specify the localcert local-trustpoint option, the router gets its certificate from the local trustpoint.

  • If you do not specify the localcert local-trustpoint option, the router uses its own self-signed certificate. If a self-signed certificate is already present, the router reuses it. If the self-signed cert is not present, the generates a new one and uses that.

Once a certificate has been generated, you can copy it to a location readable by your onePK application (such as the nerootca.pem file.) Alternatively, applications can be designed to use pinned certificates. An application can request a key from a network device and verify it against a local pinning file. If the key is not found, the application can then ask the user whether to accept or reject the key.


Self-signed certificates are appropriate for application development and testing in small deployments only. Do not use self-signed certificates in a production environment. For additional security, as well as more precise control over the use and revocation of individual certificates, a production deployment must always use a Certificate Authority to sign and manage certificates. Never use pinning in a production environment; to manage certificates and keys in such environments, use secure mechanisms, such as PKI with a CA. See Using a Cisco Router with a Certificate Authority.


    1.    enable

    2.    configure terminal

    3.    onep

    4.    transport type tls disable-remote-validation

    5.    CNTL/Z

    6.    copy running-config startup-config

    7.    show onep status

     Command or ActionPurpose
    Step 1 enable

    Router> enable          

    Enters global configuration mode.

    Step 2configure terminal

    Router# configure terminal 

    Enters global configuration mode.

    Step 3 onep

    Router(config)# onep

    Enters onep configuration mode

    Step 4 transport type tls disable-remote-validation

    Router(config-onep)# transport type tls disable-remote-validation 
    Generating 1024 bit RSA keys, keys will be non-exportable...

    Enables TLS on the router and configures the router to use a self-signed certificate. Also disables remote certificate validation, as bidirectional certificate exchange is not supported with self-signed certificates.

    Step 5 CNTL/Z

    Router(config-onep)# ^Z
    *Feb 12 07:23:37.156: %SYS-5-CONFIG_I: Configured from console by console 

    Exits Configuration Terminal.

    Step 6copy running-config startup-config

    Router# copy running-config startup-config
    Building configuration...

    Saves your changes to the startup configuration.

    Step 7 show onep status

    Router# show onep status
    Status: enabled by: Config
    Version: 1.4.0
    Transport: tls; Status: running; Port: 15002; localcert: TP-self-signed-4294967295; client cert validation disabled
    Certificate Fingerprint SHA1: 15947854 B327D612 EA083014 623A0B0C BD559677 
    Transport: tipc; Status: disabled
    Session Max Limit: 10
    CPU Interval: 0 seconds
    CPU Falling Threshold: 0%
    CPU Rising Threshold: 0%
    History Buffer: Enabled
    History Buffer Purge: Oldest
    History Buffer Size: 32768 bytes
    History Syslog: Disabled
    History Archived Session: 0
    History Max Archive: 16
    Trace buffer debugging level is info
    Service Set: Base
    State: Enabled by Default
    Version 1.4.0
    Accessible by:
      All Applications
    Service Set: Vty
    State: Disabled
    Version 0.1.0
    Accessible by:
    Service Set: Mediatrace
    State: Disabled
    Version 1.0.0
    Accessible by:

    Displays the onep configuration used by this router.

    The Certificate Fingerprint section contains information that the pinning mechanism uses. See "Managing Certificates and Keys in End-Node Hosted Applications" in Tech Note: TLS Certificate Pinning and TLS Debugging on the Cisco DevNet site.

    What to Do Next

    After completing this procedure, you can test your configuration. Go to Testing Certificate Installation to run one of the sample applications.