03-06-2019 01:22 AM - edited 03-06-2019 04:02 AM
Hi all,
Ok so on my dna-c I have had running for over a year now. We just migrated from only running on the 1g port to run on the 10g ports.
Meaning that we also changed the IP on the dna-c. After we did this my integration to my ISE etc is not working anymore, because the cert that I have imported to my dna-c is not containing the new ip of the dna-c.
So I made a new self-singed cert which is signed by our internal CA. But when I try to import my new CA to my DNA-C I am getting this error.
03-06-2019 02:01 PM
does your new csr contain all the ips and alle the vips and the fqdn your dnac is using?
03-08-2019 01:10 AM
Year I have checked that it containts all ipes etc. so it´s a bit strange. :)
03-18-2019 05:36 PM
Frank, Please capture the pki-broker logs by running " magctl service logs -r pki-broker > pki-broker.log" after you run the cert import into DNAC again and send pki-broker.log over if you could. We may identify what the problem is based on the logs.
09-22-2019 08:18 PM
Hi Frank ,
We recommend against using and importing a self-signed certificate into the DNA Center. Importing a valid X.509 certificate from a well-known, certificate authority (CA) is recommended. Additionally, you must replace the self-signed certificate (installed in the DNA Center by default) with a certificate that is signed by a well-known certificate authority for the Network PnP functionality to work properly.
you can also refer to our document
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide