Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2679
Views
5
Helpful
1
Replies

DNA Center replacing self-signed certificate

Go to solution
JP10
Level 1
Level 1

‎07-14-2022 06:11 AM

Hi,

We've recently switched over to a different domain for both ISE and DNA Center server, which required some configuration steps back in the nature of removing all statically assigned SGTs from ports in Fabric and removing integration between DNAC and ISE. At last we're now about to replace DNAC self-signed certificate with a new self-signed cert for new domain. 

Cisco DNA Center Security Best Practices Guide (https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e3970a1635) mentions that during replacement of the certificate from self-signed to CA-signed the network operation will be disrupted. Does anyone know in what manner will the disruption be, will that affect traffic of Virtual Networks on statically assigned ports in the Fabric when switching over to a new self-signed certificate? 

Thanks in advance for any answers.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rasmus.elmholt
Level 7
Level 7

‎07-19-2022 06:12 AM

You really should not use self-signed certificates with the DNAC.

I have changed the certificate on DNAC a couple of times and have not experienced any Network Downtime.

The Certificate is used with the ISE, and the PXGRID session with the ISE will stop working and you have to resync the session again.

And the Certificate is used with telemetry collection trust to the network devices, so that will most likely stop working. Depending on the version of DNAC you are using. The DNAC will push the new CA trust to the network devices right away or at the next provisioning. Otherwise you can force it with the Telemetry -> Update: Force push button.

View solution in original post

1 Reply 1

Go to solution
rasmus.elmholt
Level 7
Level 7

‎07-19-2022 06:12 AM

You really should not use self-signed certificates with the DNAC.

I have changed the certificate on DNAC a couple of times and have not experienced any Network Downtime.

The Certificate is used with the ISE, and the PXGRID session with the ISE will stop working and you have to resync the session again.

And the Certificate is used with telemetry collection trust to the network devices, so that will most likely stop working. Depending on the version of DNAC you are using. The DNAC will push the new CA trust to the network devices right away or at the next provisioning. Otherwise you can force it with the Telemetry -> Update: Force push button.

Customers Also Viewed These Support Documents