The following openssl configuration worked with an MS Internal CA signed certificate, but you need to ensure the cert template you use on the CA has BOTH Client and Server auth support configured. If you use a default template, likely it only has Server auth and it will fail to install on DNAC.

In DNAC CLI, create openssl.cnf:

vi openssl.cnf

insert your config and save it:

[ req ]
prompt = no
req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512

[req_distinguished_name]
C = US
ST = California
O = Cisco
OU = TAC
L = San Jose
CN = dnac.cisco.com
emailAddress = tac@cisco.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_name

[alt_names]
DNS.1 = dnac.cisco.com
DNS.2 = pnpserver.cisco.com
IP.1 = 10.0.0.1
<other cluster/mgmt IPs as required>

create your key:

openssl genrsa -out dna.key 4096

create your CSR using the config file:

openssl req -config openssl.cnf -new -key dna.key -out DNAC.csr 

confirm it looks good:

openssl req -text -noout -verify -in DNAC.csr

Download the file from DNAC and use that in your CA with a template that has both Client Auth and Server Auth support.
Convert the cert your new signed cert to pem format:

openssl x509 -in "newdna.crt" -out "dna.pem"

Then add the Internal CA and Root CA certs under the new DNAC certificate left in dna.pem (new DNAC cert, then Int CA, then Root CA one below the others ----END CERTIFICATE---- line). You can copy and paste the text or cat them to a new file, whatever works for you, but you need them all chained in the same dna.pem file.

Final step is to Replace Certificate, using dna.pem and dna.key files created above, via System > Settings > Trust & Privacy > Certificates > Replace Certificate.

Drag the files in and select No for password encryption and Save it. It will log you out and you're done.

Hi Fairuz, It is not mandatory to use the DNAC CLI for this. You could use a linux machine even the WSL to make the request. You can use this commands to create the template

mkdir certificados;cd certificados
openssl genrsa -out server.key 2048
cat > template.cnf
Then you fill out the template and finally you generate the request (dna-request.csr) and the private key (server.key):
openssl req -config template.cnf -new -key server.key -out dna-request.csr
And this is the order your certificate have to have when your auth cert sign in it:
Identity
Intermediate
Root

and if you need, this is the template I always use. The IP.X are all the IP Addresses of the DNAC. There are 16 because this is the template for a cluster. It is better to have this thing planned for a future cluster.

[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert

[ usr_cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth

[ v3_req ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names

[req_distinguished_name]
C =
ST =
L =
O =
OU =
CN =
emailAddress =

[CA_default]
copy_extensions = copy

[alt_names]
DNS.1 = dnac.yourdomain
DNS.2 = pnpserver.yourdomain
DNS.3 = *.yourdomain

IP.1 =
IP.2 =
IP.3 =
IP.4 =
IP.5 =
IP.6 =
IP.7 =
IP.8 =
IP.9 =
IP.10 =
IP.11 =
IP.12 =
IP.13 =
IP.14 =
IP.15 =
IP.16 =