Query about DNA's self signed certificate and sub CA

QW_netzwerk · ‎06-18-2023

Recently I learned that DNA could be used as sub-CA for the network components. I would like to know if there is any extra advantage to using DNA as a sub-CA, and if it is, then would someone share some documentations where it elaborately explains the benefit?

The other question that to change DNA's self-signed certificate. As far as I know, it is always a best practice to change the self-signed certificate, and I want to share that ISE is already productive in our network environment, where it uses the certifcates from our CA. Still, our Cisco partner says replacing the self-signed certificate in DNA is unnecessary. So would you share your thought about it?

I appreciate any help you can provide.

Flavio Miranda · ‎06-18-2023

Hi

I believe it is difficult to answer this question about the benefit because it would be environment dependent. Probably for most deployment it will not be necessary.

You may not find a document from cisco explain the advantage of Subordinate CA but you can find here:. Search for "Why You Might Need One"

https://www.ssl.com/article/subordinate-cas-and-why-you-might-need-one/

About your second query, I agree with of Cisco´s partner says and I believe this is related to the certificate for browser management access, right? If you dont mind to see the warning on the web browser saying the the page your are trying to access is not secure, it is ok keep as is.

The certificate for Lan automation and TrustSec DNAC will take care and you can use a Self-signed certificate or not. At this point you can put the DNAC as subordinate CA and then use a Root CA.

There are others interesting discussions here in the forum

https://community.cisco.com/t5/cisco-digital-network-architecture-dna/dnac-pki-certificate-management-subordinate-ca/td-p/4046547