Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1479
Views
0
Helpful
3
Replies

DNAC certificate issues, CA cannot create cert with IP in SAN

Davor@E///
Level 1
Level 1

‎09-19-2019 05:39 AM - edited ‎09-19-2019 07:51 AM

Hello,

We are implementing DNA in our network. Currently setting up DNAC and ISE.

When creating CSR in DNAC, it automatically adds IP addresses in SAN fields. 

Our CA refuses to issue certs with IP in SAN field, only FQDN's are allowed.

 

Is having node/cluster IP's in cert only way to go in DNAC cert?

What service in DNAC/ISE uses SAN IP address fields? 

What will happen if cert has only FQDN's? Is there some functionality that will not work?

 

Thanks in advance,

Davor

 

 

 

 

 

 

2 people had this problem
0 Helpful
3 Replies 3

Preston Chilcote
Cisco Employee
Cisco Employee

‎09-19-2019 11:51 AM

Having both IP and FQDN is currently a requirement for ISE integration. 

 

See the last bullet point here in the newest install guide.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3-1-0/install_guide/M4/b_cisco_dna_center_install_guide_1_3_1_0_M4/b_cisco_dna_center_install_guide_1_3_1_0_M4_chapter_0101.html#task_ikj_pg...

 

"The Cisco DNA Center system certificate must list both the Cisco DNA Center appliance IP address and FQDN in the Subject Alternative Name (SAN) field. "

 

How common is it for CA's not to allow IP's in the SAN field? 

0 Helpful

Davor@E///
Level 1
Level 1
In response to Preston Chilcote

‎09-20-2019 01:48 AM

It is global practice for public CA not to sign certs with IP address. Our CA refuses to sign such cert and it is obstacle for our implementation.

Is there way top go without IP address in SAN field? Shouldn't FQDN's be sufficient? We have DNS to resolve all FQDN in our environment.

Is this IP in cert for internal DNA usage (KVM and kubernetes)? Is there way to override this by adding FQDN/IP in host file on Maglev?

 

Kind regards,
Davor

 

 

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee
In response to Davor@E///

‎09-23-2019 03:10 PM

There is currently no way to workaround this requirement of IP addresses in the SAN field. They are needed for many features, including ISE and WLC integrations and PnP. The Cisco DNA engineering team has medium to long term plans to fix it, but no time frame is set. For now a trusted Internal CA is recommended to validate the cert with IP addresses.

Your sales team is best positioned to push engineering to increase the urgency of the FQDN-only support.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card