Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1670
Views
5
Helpful
2
Replies

DNA Center PKI Certificate subordinate CA under subordinate enterprise CA ?

Peter Koltl
Level 7
Level 7

‎03-06-2019 09:41 AM

As I understand, DNA Center can have

  • a server certificate (configured under System Settings > Settings > Certificate) and
  • device PKI CA certificate (configured under System Settings > Settings > PKI Certificate Management) that can be changed to subordinate mode.

The documentation explains that the server certificate may be issued by a subordinate external CA.

My question: may the device PKI sub-CA certificate be issued by a subordinate external CA? I mean

Level 1 Enterprise Root CA

Level 2 Enterprise Subordinate CA

Level 3 DNA Center device PKI sub-CA

Level 4 device certificate issued by DNA Center

1 person had this problem
Labels:
0 Helpful
2 Replies 2

AndiBuchmann157
Level 1
Level 1

‎03-06-2019 01:27 PM - edited ‎03-06-2019 01:34 PM

i am running this without "Level 2" and i dont have any problems...and also i dont see any problem there...

 

anyway i need to reset my lab in 2 weeks then i will try it the way you provided...

 

EDIT:

 

1) make sure the csr contains all ip adresses including die vips and the fqdn of dnac like the pic shows

aaaa.png

2) make sure when creating the "cert-package" u import into dnac contains all the certs of all involved ca's!

 

 

anantsiv
Cisco Employee
Cisco Employee
In response to AndiBuchmann157

‎09-23-2019 09:21 PM

Cisco DNA Center permits users to change the role of the Device PKI CA from a root CA to a subordinate CA.

When changing the private Cisco DNA Center's CA from a root CA to a subordinate CA, note the following:

  • If you intend to have the Cisco DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept the Cisco DNA Center as a subordinate CA.

  • As long as the subordinate CA is not fully configured, the Cisco DNA Center will continue to operate as an internal root CA.

  • You will have to generate a Certificate Signing Request (CSR) file for the Cisco DNA Center (as described in this procedure) and have it manually signed by your external root CA.

    you can refer the link

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-2/admin/b_dnac_admin_guide_1_2/b_dnac_admin_guide_1_2_chapter_01.html

 

Regards

Ananth

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents