08-15-2019 04:58 AM
Hello, in our Company we have DNAC testrun.
I also installed a ISE.
Now i try to replace the DNAC certificate to build up the connection to ISE.
But uploading the Certificate fails with "Certificate do not contain KeyUsage extension"
I took this example for creating my Certificate:
req_extensions = v3_req distinguished_name = req_distinguished_name default_bits = 4096 default_md = sha512 prompt = no [req_distinguished_name] C = <two-letter-country-code> ST = <state-or-province> L = <city> O = <company-name> OU = MyDivision CN = FQDN-of-Cisco-DNA-Center-on-GUI-port emailAddress = responsible-user@mycompany.tld [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = FQDN-of-Cisco-DNA-Center-on-GUI-port DNS.2 = FQDN-of-Cisco-DNA-Center-on-enterprise-port DNS.3 = pnpserver.DomainAssignedByDHCPDuringPnP.tld IP.1 = Enterprise port IP node #1 IP.2 = Enterprise port IP node #2
Does anyone has an idea what is wrong?
Solved! Go to Solution.
08-15-2019 05:33 AM
ok, found the solution:
[ ca ] default_ca = CA_default [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = v3_ca [req_distinguished_name] C = ST = L = O = OU = CN = emailAddress = [alt_names] DNS.1 = IP.1 = [ v3_ca ] basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign extendedKeyUsage = serverAuth,clientAuth subjectAltName = @alt_names [CA_default] copy_extensions = copy
08-15-2019 05:33 AM
ok, found the solution:
[ ca ] default_ca = CA_default [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = v3_ca [req_distinguished_name] C = ST = L = O = OU = CN = emailAddress = [alt_names] DNS.1 = IP.1 = [ v3_ca ] basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign extendedKeyUsage = serverAuth,clientAuth subjectAltName = @alt_names [CA_default] copy_extensions = copy
09-10-2019 06:40 AM
I have the same problem, but after trying this solution I get the error message "Certificate do not contain ClientAuth ExtendedKeyUsage extension". Even though I do have extendedKeyUsage = serverAuth,clientAuth in my template.
Anyone seen this?
09-24-2019 12:51 PM
Hi, I had the same issue and I solved in this way:
Finally you can verify your certificate with this command in linux:
09-24-2019 01:50 AM
Hello Bothwalker,
Was it a self-signed certificate or did you manage to make it signed by a CA ?
Regards,
A.
06-04-2023 08:59 PM
The following openssl configuration worked with an MS Internal CA signed certificate, but you need to ensure the cert template you use on the CA has BOTH Client and Server auth support configured. If you use a default template, likely it only has Server auth and it will fail to install on DNAC.
In DNAC CLI, create openssl.cnf:
vi openssl.cnf
insert your config and save it:
[ req ]
prompt = no
req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
[req_distinguished_name]
C = US
ST = California
O = Cisco
OU = TAC
L = San Jose
CN = dnac.cisco.com
emailAddress = tac@cisco.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_name
[alt_names]
DNS.1 = dnac.cisco.com
DNS.2 = pnpserver.cisco.com
IP.1 = 10.0.0.1
<other cluster/mgmt IPs as required>
create your key:
openssl genrsa -out dna.key 4096
create your CSR using the config file:
openssl req -config openssl.cnf -new -key dna.key -out DNAC.csr
confirm it looks good:
openssl req -text -noout -verify -in DNAC.csr
Download the file from DNAC and use that in your CA with a template that has both Client Auth and Server Auth support.
Convert the cert your new signed cert to pem format:
openssl x509 -in "newdna.crt" -out "dna.pem"
Then add the Internal CA and Root CA certs under the new DNAC certificate left in dna.pem (new DNAC cert, then Int CA, then Root CA one below the others ----END CERTIFICATE---- line). You can copy and paste the text or cat them to a new file, whatever works for you, but you need them all chained in the same dna.pem file.
Final step is to Replace Certificate, using dna.pem and dna.key files created above, via System > Settings > Trust & Privacy > Certificates > Replace Certificate.
Drag the files in and select No for password encryption and Save it. It will log you out and you're done.
08-24-2023 08:01 PM
Hi there.. i just want to understand.. we created openssl.cnf in the DNAC CLI. then the command of openssl, is it also need to run in DNAC CLI?
I also wonder on how i can get private key from DNAC CLI?
Kindly advise.
08-25-2023 06:43 AM
Hi Fairuz, It is not mandatory to use the DNAC CLI for this. You could use a linux machine even the WSL to make the request. You can use this commands to create the template
mkdir certificados;cd certificados
openssl genrsa -out server.key 2048
cat > template.cnf
Then you fill out the template and finally you generate the request (dna-request.csr) and the private key (server.key):
openssl req -config template.cnf -new -key server.key -out dna-request.csr
And this is the order your certificate have to have when your auth cert sign in it:
Identity
Intermediate
Root
and if you need, this is the template I always use. The IP.X are all the IP Addresses of the DNAC. There are 16 because this is the template for a cluster. It is better to have this thing planned for a future cluster.
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert
[ usr_cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
[ v3_req ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
[req_distinguished_name]
C =
ST =
L =
O =
OU =
CN =
emailAddress =
[CA_default]
copy_extensions = copy
[alt_names]
DNS.1 = dnac.yourdomain
DNS.2 = pnpserver.yourdomain
DNS.3 = *.yourdomain
IP.1 =
IP.2 =
IP.3 =
IP.4 =
IP.5 =
IP.6 =
IP.7 =
IP.8 =
IP.9 =
IP.10 =
IP.11 =
IP.12 =
IP.13 =
IP.14 =
IP.15 =
IP.16 =
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide