cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2243
Views
25
Helpful
7
Replies

DNAC PKI Certificate Management (Subordinate CA)

scvvuuren
Level 1
Level 1

Good Day

 

I am busy implementing DNA Center for a customer, we wanted to make the DNA Center a subCA to be part of the corporate certificate chain but the CA team's are querying the request in terms of how they will know what certificates are being signed.

 

Is there a way in DNAC or SSH to display the issued certificates? I have read multiple guides up to now but cannot find anything concrete on this one.

 

Help will be much appreciated. 

7 Replies 7

ammahend
VIP
VIP

I don't think DNAC can act as a SubCA and issue certificates.

you can use ISE for that, if you have ISE.

-hope this helps-

Thank you for the response.

 

It is supported though from the DNAC Security Best Practice Guide 





PKI Certificate Authority
Clients looking to establish an HTTPS connection with Cisco DNA Center use its server CA in order to confirm its identity and complete authentication. In addition to the server CA, Cisco DNA Center also makes use of a public key infrastructure (PKI) CA (configured as either a root or subordinate CA) to establish client connections. When used, the PKI CA gives you the option of using a different realm trust (signing CA) than the one associated with Cisco DNA Center’s server CA.

 

The way I am reading this is, just like any server to make an https connection the client need to validate server certificate. In case of DNAC this can be a self signed certificate from DNAC or you can have a certificate from your in-house PKI issued for DNAC Or you can have a public CA issue a certificate to DNAC.

(your in-house PKI can be root CA or Sub CA  and DNAC can still accommodate the issued certificate, till the time you import the entire certificate chain)

-hope this helps-

"I don't think DNAC can act as a SubCA and issue certificates." is a factually incorrect statement.  DNAC as I understand it has 2 Certificates:

1) SSL (self-signed by default)

2) CA (self-signed root by default)

That said, I too have the same question that was asked.  The DNAC documentation does not really go into much detail about what the CA Cert is actually used for however, from the vast amounts of reading I have done I have to assume it is used by LAN Automation and Trustsec.  Where as ISE CA is used more for pxgrid, EAP, Portals etc... but, can also be used for devices.  In both cases I have read talk of OSCP responders (need to investigate further), the fact that, that is an option means there has to be some issued/revoked/expired certificate tracking taking place somewhere but, sadly this is likely hidden in the CLI or via API commands that I have yet to be made aware of.  I would be interested to find a detailed breakdown of both ISE CA Role and DNAC CA Role for just a simple breakdown of possible overlaps and cross CA trust that needs to take place.  I'm sure this exists somewhere?

Hi dwright6123, I am researching the exact same questions you came up with. I cannot find any guide how to make reasonable decisions to design all the CA related questions in a sda environment. Did you made any progress recently?

Thanks

 

Sorry to say that I have not discovered any new information related to this.  What I have discovered with my deployment is that DNAC's CA generates certificates for each device that is added, this certificate replaces the default self-signed certificates on the devices.  When I lab deployed DNAC I used the default Self-Signed DNAC CA, when I deployed to production I used our internal Root ADCS CA to generate a sub-ca cert for DNAC, so DNAC is issuing certificates to devices that should be trusted by our internal clients.  That said, for C9xx switches anyways, the certificate that is issued uses the device hostname as the CN w/ the Loopback IP as a SAN on the cert, it does not use the FQDN of the device hostname.domain.com also, I have discovered that the certificates that are issued specifically in the case of a border EWC (Embedded Wireless Controller) is not trusted by any web browsers even though the cert trust is valid, if I am remembering correctly the certificate did not have the Server Authentication extension, my workaround to this was to revert the HTTPS services to using the default self-signed cert which did have this trust.  I have not dug into DNAC to figure out how/where these certs come from as for my deployment the self-signed cert works for now.  I have not found any information on managing certificate templates or revocation from DNAC itself.  I can confirm that when ISE integration takes place the Sub-CA trust is auto-loaded on the ISE side.  I opted to not configure ISE to be integrated with our ADCS as a Sub-CA and that has not created any issues as it trusts DNAC certs installed to the devices on deployment.  As far as ISE Certificates go I can confirm that these certs are used for pxGrid if/when you add 3rd party devices integrations into SDA you will need to issue certs from ISE to the devices so that ISE will trust them for authentication to pxGrid services.  In ISE you have quite a bit of control over certificate usage meaning that for each ISE service that uses a certificate you can define the certificates and trust pools to use.  In my ISE I changed the portals to use a globally trusted wildcard certificate, this was done to for the admin portal as well, this allows guests etc... to no run into cert issues when being redirected to a portal.  I would imagine if you wanted to you could pretty easily swap out the pxGrid/TrustSEC trustpools for ADCS trusted certificates it would really depend on your network and how much cert compliance you require.  I know that doesn't answer the original question but, maybe it will help with planning.  Good Luck.

Thanks a lot for this very detailed information! It is very valuable and helps a lot to clarify my pki related questions.

I am going to open a tac case to get additional answers including to the original post question and will provide an update soon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: