cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1175
Views
15
Helpful
8
Replies

upload certificate in DNA - get error msg

chamies2011
Beginner
Beginner

Hi

 

We have self signed certificate by default from cisco, we would like update with our Internal (CA)Certified authority, before upgrade with most recent DNAC version, and is recommend by cisco.

 

We try to upload PEM file in DNAC version 1.3.3.x, after get it from the internal CA

with the private key

 

but after press the upload button on DNAC, we get the message :

'' Certificate key Usage do not contain Key Encipherment ''

 

Any clue ?

What is missing, and where ?

If someone can help

 

Thank you

Regards

 

screeshot of the message on DNAC gui when doing the certificate upload.jpg

 

 

 

1 Accepted Solution

Accepted Solutions

You are likely not chaining the certificates properly.

 

First, you need to understand what certificate(s) are included in xpto-bundle.pem. Certificate authorities will sometimes provide you the bundle which already includes the device certificate, intermediate certificate(s), and root certificate while others will only provide you the intermediate(s) & root certificates in the bundle. 

 

Can you open the .pem file in a text editor and then decode it by copying the contents of the PEM file so you can view the CN & Issuer of the certificates included in the bundle.pem file. You can decode the certificates in the bundle.pem file using the following decoder:

-- https://www.sslshopper.com/certificate-decoder.html

 

Use the method above to understand which certificates are included in the bundle.pem file. If the bundle.pem includes all 3 certificates, we can upload it directly to the Cisco DNA Center GUI. If the bundle.pem includes only the intermediate(s) & root certificate, you will need to open the bundle.pem file in a text editor and paste the contents of the xpto.pem to the top of the bundle.pem contents then upload the bundle.pem to the Cisco DNA Center.

View solution in original post

8 Replies 8

Dan Rowe
Cisco Employee
Cisco Employee

The following document provides the steps needed to successfully generate the CSR for the DNA Center, sign it by your internal CA, & upload it back to the DNA Center:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#id_90320

 

If you are still running into issues after following the steps in the document, please consider opening a TAC case.

 

FYI, you will use CA:True for self-signed certificates. CA:False if the certificate will be signed by an external/internal CA.

 

HTH!

chamies2011
Beginner
Beginner

  Thank you Both

   I follow that guide.

   But still..

   I have tried now with normal pem file instead of xpto_bundle.pem

   And still some error, but different  ''  issuer should be equal to subject for root cert'' 

 

  CA is set false, due is certificate provide by internal CA

 

  all info I set in openssl file , and then generate the certificate, and I verify ok

  

   where exactly I should check that info or/and change,, regarding ''issuer should be equal to subject for root cert''?

  

  

 

 

Depending on the internal CA you are using, you may receive two pem files. One PEM file will be the DNA Center device certificate which was created from the CSR you provided to the internal CA. The other PEM file (xpto_bundle.pem) may contain the intermediate & root certificates in a chain. You need to combine the device certificate with the intermediate & root certificate bundle to create the certificate chain correctly. This way the issuer for the device certificate will match the CN of the intermediate certificate and the issuer of the intermediate certificate will match the CN & issuer of the root certificate.

 

Once you have bundled the certificates together, you can verify that you did it correctly by using the following openssl command from CLI:

openssl verify <.pem file>

 

When chaining the certificate, you will want to add the device certificate first at the top followed by the intermediate certificate then root certificate at the bottom of the chain. Similar to this:

 

-------Device Certificate-------------
-------End Device Certificate---------
-------Intermediate Cert--------------
-------End Intermediate Cert----------
-------Root Cert----------------------
-------End Root Certificate-----------

 

If you continue to still run into problems after confirming and verifying the certificate chain using the openSSL CLI command, please proceed with opening a TAC case with the DNA SSPT TAC team. They will be able to work with you to chain the certificate correctly and get it uploaded to the Cisco DNA Center appliance. 

 

HTH!

Thanks for your tips Danirowe

 

Well, I get 3 files from CA.

 xpto.pem

xpto-bundle.pem

xpto.der

 

and the options in DNA to upload is as pem file.

So, i guess I should concatenate it..

 

like that: cat xpto.der xpto.pem xpto-bundle.pem > xpto-chain.pem

 

not sure if will work with diferent extension

I will test it..

 

 

 

 

well I verify the pen files and i get error:  

  xpto.pem: O = YYY, OU = XX, CN = DNA

   error 20 at 0 depth lookup : unable to get local issuer certificate

 

  xpto-bundle.pem: O = YYY,  CN = P  root CA

   error 18 at 0 depth lookup : self signed certificate

 

any clue ? or what info I need to change or if CA need to change anything..?

Thank you

 

 

so in resume:

 

when I verify file xpro.csr file verify OK

I can see public key, signature...

 

but after I get the 3 files from CA

the 2 pem files get errors:

 

well I verify the pen files and i get error:  

  xpto.pem: O = YYY, OU = XX, CN = DNA

   error 20 at 0 depth lookup : unable to get local issuer certificate

 

  xpto-bundle.pem: O = YYY,  CN = P  root CA

   error 18 at 0 depth lookup : self signed certificate

 

any clue ? or what info I need to change or if CA need to change anything..?

Thank you

You are likely not chaining the certificates properly.

 

First, you need to understand what certificate(s) are included in xpto-bundle.pem. Certificate authorities will sometimes provide you the bundle which already includes the device certificate, intermediate certificate(s), and root certificate while others will only provide you the intermediate(s) & root certificates in the bundle. 

 

Can you open the .pem file in a text editor and then decode it by copying the contents of the PEM file so you can view the CN & Issuer of the certificates included in the bundle.pem file. You can decode the certificates in the bundle.pem file using the following decoder:

-- https://www.sslshopper.com/certificate-decoder.html

 

Use the method above to understand which certificates are included in the bundle.pem file. If the bundle.pem includes all 3 certificates, we can upload it directly to the Cisco DNA Center GUI. If the bundle.pem includes only the intermediate(s) & root certificate, you will need to open the bundle.pem file in a text editor and paste the contents of the xpto.pem to the top of the bundle.pem contents then upload the bundle.pem to the Cisco DNA Center.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: