cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2284
Views
5
Helpful
3
Replies

Enabling Certs on Apics

mmacdonald70
Level 1
Level 1

I decided to enable PKI certificates for my 3 apics today.  I followed the instructions at

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/basic_config/b_APIC_Basic_Config_Guide_2_x/b_APIC_Basic_Config_Guide_2_x_chapter_011.html#concept_BE099C0BD5154A4493AEBC8BE21D4E0D

I imported my root cert, created three keyrings and CSRs and generated and imported the signed keys.  In the end I happily had three working Keyrings, one for each APIC.  The problem was that when I went to associate them with the Management access policy, it seems to be global.  I was only able to assign one keyring to the pod, I couldn't find a way to assign a different one to each APIC.  So now I have three Apic servers using the same cert.

I'm assuming that I misunderstood the instructions but I'm not sure what I should have done.  Any suggestions?

3 Replies 3

iangallimore1
Level 1
Level 1

I have a similar issue.
Although I will be looking to create a SAN cert for the 4 APICs, I suspect this would work but am hesitant because I want to wipe the fabric afterwards and rebuild.

As I understand it the private key cannot be exported so the certificate would then be invalid so would I need to recreate a new private key and implement the new SAN certificate.

Thanks

Ian

russhe
Cisco Employee
Cisco Employee

All fabric nodes (APICs, Leafs, Spines) will use the same cert that is configured under the keyring. A fabric can only have one active key ring. There are a couple of workarounds for this:

1) Using a wildcard cert to cover all node addresses. When generating the CSR, the DN would be apic*.cisco.com for example to cover apic(1-9).cisco.com addresses. All nodes would then use this same cert

2) Use a SAN in the cert. Currently, this is not supported to configure in the GUI. This behavior is enhanced in the upcoming 3.0 release, see bug id: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd86437 . TAC can assist with generating a new CSR using openssl to include SAN details in the CSR if you are unable to add the SAN details when signing.

It is not supported to import or export private keys to/from the APIC. So the CSR must be generated from the APIC. Please let me know if you have any additional questions or if that clears it up.

Thanks,

-Russ

Thank you. Created the SAN cert when signing and worked as expected.

Save 25% on Day-2 Operations Add-On License