cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for Cisco DNA Center Resources to help you on your journey with Cisco DNA Center

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

251
Views
0
Helpful
2
Replies
Highlighted
Beginner

Cisco DNAC Certificate Self Signed

Hello, in our Company we have DNAC testrun. 

I also installed a ISE. 

 

Now i try to replace the DNAC certificate to build up the connection to ISE. 

But uploading the Certificate fails with "Certificate do not contain KeyUsage extension"

I took this example for creating my Certificate:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#id_90320

 

req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = <two-letter-country-code>
ST = <state-or-province>
L = <city>
O = <company-name>
OU = MyDivision
CN = FQDN-of-Cisco-DNA-Center-on-GUI-port
emailAddress = responsible-user@mycompany.tld

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = FQDN-of-Cisco-DNA-Center-on-GUI-port
DNS.2 = FQDN-of-Cisco-DNA-Center-on-enterprise-port
DNS.3 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
IP.1 = Enterprise port IP node #1
IP.2 = Enterprise port IP node #2

 Does anyone has an idea what is wrong?

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Cisco DNAC Certificate Self Signed

ok, found the solution:

 

[ ca ]
default_ca = CA_default

[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca


[req_distinguished_name]
C = 
ST = 
L = 
O = 
OU =
CN = 
emailAddress = 

[alt_names]
DNS.1 = 
IP.1 = 

[ v3_ca ]
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names

[CA_default]
copy_extensions = copy
2 REPLIES 2
Beginner

Re: Cisco DNAC Certificate Self Signed

ok, found the solution:

 

[ ca ]
default_ca = CA_default

[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca


[req_distinguished_name]
C = 
ST = 
L = 
O = 
OU =
CN = 
emailAddress = 

[alt_names]
DNS.1 = 
IP.1 = 

[ v3_ca ]
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names

[CA_default]
copy_extensions = copy

Re: Cisco DNAC Certificate Self Signed

I have the same problem, but after trying this solution I get the error message "Certificate do not contain ClientAuth ExtendedKeyUsage extension". Even though I do have extendedKeyUsage = serverAuth,clientAuth in my template.

 

Anyone seen this?

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards