DNA Center PKI Certificate subordinate CA under subordinate enterprise CA ?

Peter Koltl · ‎03-06-2019

As I understand, DNA Center can have

a server certificate (configured under System Settings > Settings > Certificate) and
device PKI CA certificate (configured under System Settings > Settings > PKI Certificate Management) that can be changed to subordinate mode.

The documentation explains that the server certificate may be issued by a subordinate external CA.

My question: may the device PKI sub-CA certificate be issued by a subordinate external CA? I mean

Level 1 Enterprise Root CA

Level 2 Enterprise Subordinate CA

Level 3 DNA Center device PKI sub-CA

Level 4 device certificate issued by DNA Center

AndiBuchmann157 · ‎03-06-2019

i am running this without "Level 2" and i dont have any problems...and also i dont see any problem there...

anyway i need to reset my lab in 2 weeks then i will try it the way you provided...

EDIT:

1) make sure the csr contains all ip adresses including die vips and the fqdn of dnac like the pic shows

2) make sure when creating the "cert-package" u import into dnac contains all the certs of all involved ca's!

anantsiv · ‎09-23-2019

Cisco DNA Center permits users to change the role of the Device PKI CA from a root CA to a subordinate CA.

When changing the private Cisco DNA Center's CA from a root CA to a subordinate CA, note the following:

If you intend to have the Cisco DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept the Cisco DNA Center as a subordinate CA.
As long as the subordinate CA is not fully configured, the Cisco DNA Center will continue to operate as an internal root CA.
You will have to generate a Certificate Signing Request (CSR) file for the Cisco DNA Center (as described in this procedure) and have it manually signed by your external root CA.
you can refer the link

Regards

Ananth