General operating rules and notes
Once you generate a certificate on the switch avoid re-generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch certificate on all management stations (clients) previously set up for SSL access to the switch. In some situations this can temporarily allow security breaches.
The switch public/private certificate key pair and certificate are stored in the switch flash memory and are not affected by reboots or the
erase startup-config
command.The public/private certificate key pair is not be confused with the SSH public/private key pair. The certificate key pair and the SSH key pair are independent of each other, which means a switch can have two key pairs stored in flash.