Solved: upload certificate in DNA - get error msg

chamies2011 · ‎02-16-2022

Hi

We have self signed certificate by default from cisco, we would like update with our Internal (CA)Certified authority, before upgrade with most recent DNAC version, and is recommend by cisco.

We try to upload PEM file in DNAC version 1.3.3.x, after get it from the internal CA

with the private key

but after press the upload button on DNAC, we get the message :

'' Certificate key Usage do not contain Key Encipherment ''

Any clue ?

What is missing, and where ?

If someone can help

Thank you

Regards

Dan Rowe · ‎02-22-2022

You are likely not chaining the certificates properly.

First, you need to understand what certificate(s) are included in xpto-bundle.pem. Certificate authorities will sometimes provide you the bundle which already includes the device certificate, intermediate certificate(s), and root certificate while others will only provide you the intermediate(s) & root certificates in the bundle.

Can you open the .pem file in a text editor and then decode it by copying the contents of the PEM file so you can view the CN & Issuer of the certificates included in the bundle.pem file. You can decode the certificates in the bundle.pem file using the following decoder:

-- https://www.sslshopper.com/certificate-decoder.html

Use the method above to understand which certificates are included in the bundle.pem file. If the bundle.pem includes all 3 certificates, we can upload it directly to the Cisco DNA Center GUI. If the bundle.pem includes only the intermediate(s) & root certificate, you will need to open the bundle.pem file in a text editor and paste the contents of the xpto.pem to the top of the bundle.pem contents then upload the bundle.pem to the Cisco DNA Center.

View solution in original post

Flavio Miranda · ‎02-16-2022

Hi

Take a look. It may help you. Same error.

https://community.cisco.com/t5/cisco-digital-network/cisco-dnac-certificate-self-signed/td-p/3908593

Dan Rowe · ‎02-17-2022

The following document provides the steps needed to successfully generate the CSR for the DNA Center, sign it by your internal CA, & upload it back to the DNA Center:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#id_90320

If you are still running into issues after following the steps in the document, please consider opening a TAC case.

FYI, you will use CA:True for self-signed certificates. CA:False if the certificate will be signed by an external/internal CA.

HTH!

chamies2011 · ‎02-18-2022

Thank you Both

I follow that guide.

But still..

I have tried now with normal pem file instead of xpto_bundle.pem

And still some error, but different '' issuer should be equal to subject for root cert''

CA is set false, due is certificate provide by internal CA

all info I set in openssl file , and then generate the certificate, and I verify ok

where exactly I should check that info or/and change,, regarding ''issuer should be equal to subject for root cert''?

Dan Rowe · ‎02-18-2022

Depending on the internal CA you are using, you may receive two pem files. One PEM file will be the DNA Center device certificate which was created from the CSR you provided to the internal CA. The other PEM file (xpto_bundle.pem) may contain the intermediate & root certificates in a chain. You need to combine the device certificate with the intermediate & root certificate bundle to create the certificate chain correctly. This way the issuer for the device certificate will match the CN of the intermediate certificate and the issuer of the intermediate certificate will match the CN & issuer of the root certificate.

Once you have bundled the certificates together, you can verify that you did it correctly by using the following openssl command from CLI:

openssl verify <.pem file>

When chaining the certificate, you will want to add the device certificate first at the top followed by the intermediate certificate then root certificate at the bottom of the chain. Similar to this:

-------Device Certificate-------------
-------End Device Certificate---------
-------Intermediate Cert--------------
-------End Intermediate Cert----------
-------Root Cert----------------------
-------End Root Certificate-----------

If you continue to still run into problems after confirming and verifying the certificate chain using the openSSL CLI command, please proceed with opening a TAC case with the DNA SSPT TAC team. They will be able to work with you to chain the certificate correctly and get it uploaded to the Cisco DNA Center appliance.

HTH!

chamies2011 · ‎02-18-2022

Thanks for your tips Danirowe

Well, I get 3 files from CA.

xpto.pem

xpto-bundle.pem

xpto.der

and the options in DNA to upload is as pem file.

So, i guess I should concatenate it..

like that: cat xpto.der xpto.pem xpto-bundle.pem > xpto-chain.pem

not sure if will work with diferent extension

I will test it..

chamies2011 · ‎02-18-2022

well I verify the pen files and i get error:

xpto.pem: O = YYY, OU = XX, CN = DNA

error 20 at 0 depth lookup : unable to get local issuer certificate

xpto-bundle.pem: O = YYY, CN = P root CA

error 18 at 0 depth lookup : self signed certificate

any clue ? or what info I need to change or if CA need to change anything..?

Thank you

chamies2011 · ‎02-18-2022

so in resume:

when I verify file xpro.csr file verify OK

I can see public key, signature...

but after I get the 3 files from CA

the 2 pem files get errors:

well I verify the pen files and i get error:

xpto.pem: O = YYY, OU = XX, CN = DNA

error 20 at 0 depth lookup : unable to get local issuer certificate

xpto-bundle.pem: O = YYY, CN = P root CA

error 18 at 0 depth lookup : self signed certificate

any clue ? or what info I need to change or if CA need to change anything..?

Thank you

Dan Rowe · ‎02-22-2022

You are likely not chaining the certificates properly.

First, you need to understand what certificate(s) are included in xpto-bundle.pem. Certificate authorities will sometimes provide you the bundle which already includes the device certificate, intermediate certificate(s), and root certificate while others will only provide you the intermediate(s) & root certificates in the bundle.

Can you open the .pem file in a text editor and then decode it by copying the contents of the PEM file so you can view the CN & Issuer of the certificates included in the bundle.pem file. You can decode the certificates in the bundle.pem file using the following decoder:

-- https://www.sslshopper.com/certificate-decoder.html

Use the method above to understand which certificates are included in the bundle.pem file. If the bundle.pem includes all 3 certificates, we can upload it directly to the Cisco DNA Center GUI. If the bundle.pem includes only the intermediate(s) & root certificate, you will need to open the bundle.pem file in a text editor and paste the contents of the xpto.pem to the top of the bundle.pem contents then upload the bundle.pem to the Cisco DNA Center.