Solved: Catalyst Center External PKI Certificate Support

zachartl · ‎08-04-2024

Hello,

I've Catalyst Center Appliance version 2.3.5.5

The organization does not utilize it's own PKI Certificate Authority. The CA is an external entity, well known for providing PKI certficate services. And so I have generated a CSR, submitted it and received what I believe to be a CA Certificate file and Server Certificate (Catalyst Center Server Cert) file, both are .cer files, I've successfully uploaded the latter file into our Catalyst Center Appliance and the Appliance has accepted the Server Certificate but there's an entry there in the GUI certificate pane that states the CA's authenticity is unknown or can't be verified.

Would I need to combine the two .cer files into a .pem file and then upload the resulting .pem file?

If so, would I be required to first generate a private key file as well and upload that file when I upload the new .pem file?

Thank you,

Terry

maflesch · ‎08-05-2024

Hi Zachartl,

When you uploaded the cert into the GUI did you upload only the system cert or the complete chain? There are times when Catalyst Center will accept the certification without validating the chain is present and that will cause issues down the road.

Also, in the GUI under System Certificate, you will see Untrusted Authority until the Root CA that signed the CSR is imported into the Catalyst Center's trust pool.

As for the browser, unless the Root CA is signed by a well known CA that your browser is already aware of, the browser will continue to report that the cert cannot be trusted unless you import that into your browser trustpool.

View solution in original post

Flavio Miranda · ‎08-04-2024

Hi @zachartl

If the Applicance accepted the certificate and installed it, it´s done. If the file were wrong or missing some part or in the wrong format, it would refuse to install.

About the message, there are some possibilities. The CA could indeed not be a valid one from the Appliance or browser perspective

or the applicance need to have connectivity to that CA in order to validad the information and is not able to reach it.

Can you share the error message?

zachartl · ‎08-04-2024

Hi Flavio,

I'm unable to share the error message as I'm still new and don't yet have remote access. I submitted a request for a new DNS Address record and PTR Record for the DNAC Appliance and those DNS entries had not yet been put in place before I left on Friday past. Hopefully, this issue is due to the inability to communicate to the external CA until those DNS entries are in place. I will let you know as soon as I know. Thank you!

Flavio Miranda · ‎08-05-2024

@zachartl Check this post in case the problem is not related to is not connectiviry.

https://community.cisco.com/t5/cisco-bug-discussions/cscwh31161-dna-center-2-3-5-x-fails-to-validate-a-signed/m-p/5155850#M15487

zachartl · ‎08-05-2024

Hi Flavio,

I checked out the support link you sent and that didn't get us there. Thank you though for having come to our aid just the same. Please know we appreciate your knowledge and expertise with this situation.

Have a great evening.

maflesch · ‎08-05-2024

Hi Zachartl,

When you uploaded the cert into the GUI did you upload only the system cert or the complete chain? There are times when Catalyst Center will accept the certification without validating the chain is present and that will cause issues down the road.

Also, in the GUI under System Certificate, you will see Untrusted Authority until the Root CA that signed the CSR is imported into the Catalyst Center's trust pool.

As for the browser, unless the Root CA is signed by a well known CA that your browser is already aware of, the browser will continue to report that the cert cannot be trusted unless you import that into your browser trustpool.

zachartl · ‎08-05-2024

Hello maflesch,

That was it. I had to import the CA Certificate into the Trusted Pool.

This is my first go at working with external CA's and their certificates. In my previous life we had an internal CA.

Thank you for your input. Most Appreciated.