Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2126
Views
5
Helpful
4
Replies

Replacing certifcate in DNA-C fails

Frank Osberg
Level 4
Level 4

‎03-06-2019 01:22 AM - edited ‎03-06-2019 04:02 AM

Hi all,

 

Ok so on my dna-c I have had running for over a year now. We just migrated from only running on the 1g port to run on the 10g ports. 

 

Meaning that we also changed the IP on the dna-c. After we did this my integration to my ISE etc is not working anymore, because the cert that I have imported to my dna-c is not containing the new ip of the dna-c. 

 

So I made a new self-singed cert which is signed by our internal CA. But when I try to import my new CA to my DNA-C I am getting this error.

 

Unable to replace certificate1; 400 Bad Request
 
Not a error that tells me that much, so anyone there has a idea on how to fix this? :) 
 
Frank
Preview file
4 KB
0 Helpful
4 Replies 4

AndiBuchmann157
Level 1
Level 1

‎03-06-2019 02:01 PM

does your new csr contain all the ips and alle the vips and the fqdn your dnac is using?

0 Helpful

Frank Osberg
Level 4
Level 4
In response to AndiBuchmann157

‎03-08-2019 01:10 AM

Year I have checked that it containts all ipes etc. so it´s a bit strange. :) 

0 Helpful

venkr@cisco.com
Cisco Employee
Cisco Employee
In response to Frank Osberg

‎03-18-2019 05:36 PM

Frank, Please capture the pki-broker logs by running " magctl service logs -r pki-broker > pki-broker.log" after you run the cert import into DNAC again and send pki-broker.log over if you could. We may identify what the problem is based on the logs. 

anantsiv
Cisco Employee
Cisco Employee

‎09-22-2019 08:18 PM

Hi Frank ,

We recommend against using and importing a self-signed certificate into the DNA Center. Importing a valid X.509 certificate from a well-known, certificate authority (CA) is recommended. Additionally, you must replace the self-signed certificate (installed in the DNA Center by default) with a certificate that is signed by a well-known certificate authority for the Network PnP functionality to work properly.

you can also refer to our document

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-1/admin/b_dnac_admin_guide_1_1/b_dnac_admin_guide_1_1_chapter_01.html#id_54524

 

0 Helpful
Customers Also Viewed These Support Documents