ip http secure-server
Enables the HTTPS server on a Cisco IOS device to allow secure web-based management and API access using SSL/TLS.
ip http secure-serverWhen to Use This Command
- Securing the web GUI (e.g., Cisco Configuration Professional) with HTTPS instead of HTTP.
- Enabling RESTCONF or NETCONF over HTTPS for programmatic network automation.
- Providing encrypted remote management access to network administrators via a web browser.
- Complying with security policies that require encrypted management traffic.
Command Examples
Enable HTTPS server with default settings
ip http secure-serverRouter(config)# ip http secure-server Router(config)# %HTTPS: Starting HTTPS server on port 443 Router(config)#
The command enables the HTTPS server on the default port 443. The output confirms the server has started.
Verify HTTPS server status
show ip http server statusHTTP server status: Enabled HTTP server port: 80 HTTPS server status: Enabled HTTPS server port: 443 HTTP authentication method: local HTTP timeout: 180 seconds HTTP maximum number of connections: 5 HTTP secure server cipher suite: 3des-ede-cbc-sha HTTP secure server TLS version: 1.2
The output shows both HTTP and HTTPS servers are enabled. HTTPS uses port 443, TLS 1.2, and 3DES encryption. The authentication method is local.
Understanding the Output
The command itself produces minimal output, typically just a confirmation message. To verify, use 'show ip http server status'. Key fields: 'HTTPS server status' should be 'Enabled'; 'HTTPS server port' is usually 443; 'HTTP authentication method' shows how users are authenticated (local, AAA, etc.); 'HTTP secure server TLS version' indicates the TLS version (should be 1.2 or higher for security). If the server fails to start, check for certificate issues or port conflicts.
CCNA Exam Tips
CCNA exam may ask which command enables secure web access; remember 'ip http secure-server' in global config.
Know that 'ip http secure-server' requires a trustpoint certificate; if none is configured, the router generates a self-signed certificate.
The exam might test that HTTPS uses port 443 by default, and you can change it with 'ip http secure-port'.
Be aware that 'ip http server' must be enabled first for HTTPS to work, though HTTPS can be enabled independently.
Common Mistakes
Forgetting to enable 'ip http server' before 'ip http secure-server' — HTTPS may fail to start.
Not configuring a trustpoint or certificate, causing the router to use a self-signed certificate that browsers may reject.
Confusing 'ip http secure-server' with 'ip http server' — the former enables HTTPS, the latter enables HTTP.
Related Commands
crypto key generate rsa modulus [bits]
Generates an RSA key pair for SSH, encryption, or digital signatures on a Cisco IOS device, typically used to enable secure management access.
ip http server
Enables the HTTP server on a Cisco IOS device, allowing web-based management and access to the device's web interface for configuration and monitoring.
show ip http server status
Displays the operational status and configuration of the HTTP server (web server) on the Cisco IOS device, used to verify if the web-based GUI or REST API is enabled and accessible.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions