Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1178
Views
0
Helpful
4
Replies

DNAC(Catalyst Center) self signed certificate

Go to solution
SirEna
Level 1
Level 1

‎01-11-2024 02:59 AM

Hi, im planning to change our dnac's self signed certificate. if i have 3 nodes, do i need to change the cert per node? or changing the vip will do? thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pieterh
VIP
VIP
In response to SirEna

‎01-12-2024 03:03 AM

sorry I overlooked "self-signed"
take a look at the advice in this document
Cisco DNA Center Security Best Practices Guide - Cisco
section: Cisco DNA Center Hardening Steps

and section: Security Recommendation

  • Replace the self-signed server certificate from Cisco DNA Center with the certificate signed by your internal certificate authority (CA).

you can use a single certificate with VIP as CN and all hostnames in SAN field
for details see section: Generate a Certificate Request Using OpenSSL
this describes how to create the .csr and private key external from DNA center
and how to process this file into a file that can be imported in DNA center

View solution in original post

0 Helpful
4 Replies 4

Go to solution
pieterh
VIP
VIP

‎01-11-2024 05:12 AM

there should be a single cert for all nodes
but be aware check the SAN field of your current certificate
you may find all individual host-names included in this field

0 Helpful

Go to solution
SirEna
Level 1
Level 1
In response to pieterh

‎01-12-2024 02:38 AM

Hi Pieterch, thanks for the reply. if i login to the VIP the sanip field is empty. But if i login to 1 of the nodes, there are ip addresses populated in the sanip field. i.e. mgmt ips, enterprise ips,and those 169.254.x.x being used for clustering.  from which node should i generate the csr? another question is, what  should i choose from the following options:

Key Usage:

keyEncipherment
digitalSignature
nonRepudiation
keyCertSign
cRLSign

default selection are:
keyEncipherment and digitalSignature

extended key usage:
serverAuth
clientAuth

both are selected by default

 

thanks!

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to SirEna

‎01-12-2024 03:03 AM

sorry I overlooked "self-signed"
take a look at the advice in this document
Cisco DNA Center Security Best Practices Guide - Cisco
section: Cisco DNA Center Hardening Steps

and section: Security Recommendation

  • Replace the self-signed server certificate from Cisco DNA Center with the certificate signed by your internal certificate authority (CA).

you can use a single certificate with VIP as CN and all hostnames in SAN field
for details see section: Generate a Certificate Request Using OpenSSL
this describes how to create the .csr and private key external from DNA center
and how to process this file into a file that can be imported in DNA center

0 Helpful

Go to solution
SirEna
Level 1
Level 1

‎01-23-2024 01:54 AM

at last, after going thru an ordeal and lots of processes i managed to update the cert =p. thanks for the ideas !

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card