Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
0
Replies

DNAC multiple OU's in Certificate generation

AFlack20
Level 1
Level 1

‎01-11-2022 01:34 PM

I'm having a problem with generating a CSR following this doc.

I have generated the openssl.cnf file like below.

req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = US
ST = HI
L = Honolulu
OU = ABC, OU = 123, OU=ACME
CN = cisco.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
IP.1 = Enterprise port IP node #1
IP.2 = Enterprise port IP node #2
IP.3 = Enterprise port IP node #3
IP.4 = Enterprise port VIP
IP.5 = Cluster port IP node #1
IP.6 = Cluster port IP node #2
IP.7 = Cluster port IP node #3
IP.8 = Cluster port VIP
IP.9 = GUI port IP node #1
IP.10 = GUI port IP node #2
IP.11 = GUI port IP node #3
IP.12 = GUI port VIP

I need the CSR to have multiple OU's but when I do the verification check via "openssl req -text -noout -verify -in DNAC.csr" I get similar to the following output.

$ openssl req -text -noout -verify -in DNAC.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = HI, L = Honolulu, O = Customer, OU = "ABC, OU = 123, OU = ACME", CN = cisco.com

I've tried separating the OU's in openssl.cnf file in other ways such as a new line or without commas and but nothing appears to be coming back as valid.

C = US
ST = HI
L = Honolulu
OU = ABC
OU = 123
OU = ACME
CN = cisco.com

All I get back utilizing the new lines as above is the last inputted OU

$ openssl req -text -noout -verify -in DNAC.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = HI, L = Honolulu, O = Customer, OU = ACME, CN = cisco.com

Without comma input

C = US
ST = HI
L = Honolulu
OU = ABC OU = 123 OU=ACME
CN = cisco.com

Without comma output

$ openssl req -text -noout -verify -in DNAC.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = HI, L = Honolulu, O = Customer, OU = ABC OU = 123 OU = ACME, CN = cisco.com

 This last one looks like it might be usable but it does concern me that there is only one comma at the end of all the OU fields. Could someone please let me know what the correct method would be? Thanks!

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents