Re: DNA certificate err and ISE integrate err

lin.yang2 · ‎05-26-2022

DNA Center version 2.2.3.5，ISE Version:3.1.0.518 Patch Information:1,3

I verify by replacing the certificate,

[Fri May 27 03:25:03 UTC] maglev@192.168.131.2 (maglev-master-192-168-131-2) ~
$ maglev cluster network display
[administration] password for 'admin':
cluster_network:
cluster_dns: 169.254.20.10
cluster_hostname: CISCODNA
cluster_subnet: 169.254.48.0/20
cluster_vip:
- 10.204.131.32
- 192.168.131.3
container_subnet: 169.254.32.0/20

$ ll
total 72
drwx------ 2 maglev maglev 4096 May 27 02:06 ./
drwxr-xr-x 9 maglev maglev 4096 May 27 03:25 ../
-rw------- 1 maglev maglev 1976 May 26 08:26 DNAC.csr
-rw------- 1 maglev maglev 1350 May 27 01:37 cernewrootder.pem
-rw------- 1 maglev maglev 2533 May 27 01:42 cernewsubder.pem
-rw-rw-r-- 1 maglev maglev 1809 May 26 08:38 certnewdna-0526.cer
-rw------- 1 maglev maglev 2504 May 27 02:03 certnewdna-0526.pem
-rw-rw-r-- 1 maglev maglev 2544 May 26 08:48 certnewdna-0526base64.cer
-rw-rw-r-- 1 maglev maglev 1372 May 26 09:22 certnewrootbase64.cer
-rw-rw-r-- 1 maglev maglev 955 May 26 09:22 certnewrootder.cer
-rw-rw-r-- 1 maglev maglev 2574 May 26 09:20 certnewsubbase64.cer
-rw-rw-r-- 1 maglev maglev 1828 May 26 09:19 certnewsubder.cer
-rw------- 1 maglev maglev 3243 May 26 08:26 csr.key
-rw------- 1 maglev maglev 6387 May 27 02:06 dnac-chain.pem
-rw------- 1 maglev maglev 516 May 26 08:26 openssl.cnf
-rw-rw-r-- 1 maglev maglev 4268 May 26 01:50 ''$'\351\243\236\345\241\224\345\257\206\347\240\201''.txt'

$ more openssl.cnf
req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = CN
ST = Ordos
L = Ordos
O = envision-aesc
OU = IT
CN = CISCODNA
emailAddress = lin.yang2@envision-aesc.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = CISCODNA
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
DNS.3 = *.envision-aesc.cn

Question 1: I am planning to integrate DNA and ISE, but it is reporting an error. I don't know why?
Question 2: Judging from the error message, the certificate is wrong. I need to replace the certificate on the DNA, but I followed the steps step by step. There is an error in the process of replacing the certificate, but I don't know why?
Question 3: How do I set the openssl.cnf file correctly, is there any case? The cisco documentation doesn't explain this well, I don't know what should be paid attention to?

georgehewittuk1 · ‎05-30-2022

When you signed the certificate did you sign it to include client and server authentication key usage as it's mandatory?

The process outlined here & it says that - https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

Regards

GH

lin.yang2 · ‎05-30-2022

How can I fix this? How can I modify my open.ssl config file?

I think there is something wrong with my open.ssl config file。

$ more openssl.cnf
req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = CN
ST = Ordos
L = Ordos
O = envision-aesc
OU = IT
CN = CISCODNA
emailAddress = lin.yang2@envision-aesc.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = CISCODNA
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
DNS.3 = *.envision-aesc.cn

extendedKeyUsage=serverAuth,clientAuth //////Do I need to delete it?

estetson · ‎06-01-2022

This should be something that's handled by your CA when they sign your CSR. Currently, when they're signing it, it's stripping the ClientAuth portion out of the certificate. They need to select a template that won't strip this field.

georgehewittuk1 · ‎06-02-2022

@lin.yang2 what CA are you using? It's an old document but this is a Windows client/server authentication template how to for expressway that's the same theory - your using a template that has them enabled.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-0/cert_creation_use/exwy_b_cisco-expressway-certificate-creation-and-use-deployment-guide-x14-0/exwy_b_certificate-creation-use-deployment-guide_chapter_01100.pdf