Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18804
Views
5
Helpful
2
Replies

New cert installation in DNA Center

Go to solution
Tim_J_RC
Level 1
Level 1

‎04-30-2019 09:05 AM - edited ‎04-30-2019 09:11 AM

I have been struggling the past few days with installing a new CA signed certificate onto my DNA Center server.   First I tried using the API method, but it failed.   Even though I had a 2 year cert, the API method was saying it was less than a 2 year cert.  I went to the OpenSSL method following the steps in the Cisco Digital Network Architecture Center Security Best Practices Guide.

 

Everything went well until I received my certificate from Thawte, and started on this step

Step 7

Download the certificate (full chain) with DER format and name it dnac-chain.p7b.

Step 8

Copy dnac-chain.p7b that you downloaded in the preceding step to the Cisco DNA Center cluster through SSH.

Step 9

Enter the following command:

openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

 

I already receive a .p7b from Thawte, but when I run the command in Step 9, I get the following

$ openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs
unable to load PKCS7 object
140373772969624:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1217:
140373772969624:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=PKCS7

 

Any thoughts before I open a case with TAC?

 

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Farhan Mohamed
Cisco Employee
Cisco Employee

‎05-22-2019 02:03 PM

CA Signed certificates has to be signed from same CA, I have couple of information to do this step correctly, Please check this link for Open SSL and API method for adding certificates: www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1214a1635

If you are getting some error in .p7b error, Please follow the steps in this link:-

support.citrix.com/article/CTX124429/

Let me know if any issue arises, we can have more discussion on webex.

View solution in original post

Go to solution
Tim_J_RC
Level 1
Level 1
In response to Farhan Mohamed

‎05-28-2019 07:21 AM

Thank you Farhan. 

     I had opened a case with Cisco TAC, and we were able to resolve the issue.   Thank you for your response on this.

 

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Farhan Mohamed
Cisco Employee
Cisco Employee

‎05-22-2019 02:03 PM

CA Signed certificates has to be signed from same CA, I have couple of information to do this step correctly, Please check this link for Open SSL and API method for adding certificates: www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1214a1635

If you are getting some error in .p7b error, Please follow the steps in this link:-

support.citrix.com/article/CTX124429/

Let me know if any issue arises, we can have more discussion on webex.

Go to solution
Tim_J_RC
Level 1
Level 1
In response to Farhan Mohamed

‎05-28-2019 07:21 AM

Thank you Farhan. 

     I had opened a case with Cisco TAC, and we were able to resolve the issue.   Thank you for your response on this.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card