cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

182
Views
0
Helpful
3
Replies
Highlighted

Content of alt_names in DNAC certificate

Dear All,

 

I am checking to create a certificate for DNAC (System Settings - Certificate). I usually use this guide "Cisco Digital Network Architecture Center Security Best Practices Guide" (https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html).

 

In the CA alt_names,i can see that Cisco mentions :

DNS.1 = FQDN-of-Cisco-DNA-Center-on-GUI-port
DNS.1 = FQDN-of-Cisco-DNA-Center-on-enterprise-port
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
+ all IP of DNAC

However, if i check a self signed certificate froma new installed 1.3 i can see the following: 

 

DNS name=localhost
DNS name=kong
DNS name=kong.maglev-system
DNS name=kong.maglev-system.svc
DNS name=kong.maglev-system.svc.cluster
DNS name=kong.maglev-system.svc.cluster.local
DNS name=kong-frontend
DNS name=kong-frontend.maglev-system
DNS name=kong-frontend.maglev-system.svc
DNS name=kong-frontend.maglev-system.svc.cluster
DNS name=kong-frontend.maglev-system.svc.cluster.local
IP Address= ALL IP of DNAC

As you can see there are localhost + all sort of kong stuff. but no mention of these ones in the security guide ...

 

Do you know if we need to add these kong & localhost when creating a new certificate or it won't be used for the GUI of DNAC ?

 

Thx,

Philippe

3 REPLIES 3
Beginner

Re: Content of alt_names in DNAC certificate

Hi Philippe,

 

I can only speak from my experience. I have issued the certificate without attributes like localhost and these services domain names and everything continues to work fine. You only have to make sure that the IP address attributes are present in addition to the DNS attributes. Otherwise services like Plug and Play won't work properly anymore.

 

I also added the attributes of the cluster IP Adresses. But I'm not sure if this is really necessary.

 

Best regards,

Johannes

Re: Content of alt_names in DNAC certificate

Hello Johannes,

 

Thx for your feedback. It's also what i did on 3 another DNACs ... but wanted to be sure that there is no impact if we remove the kong ... and i guess/hope/suppose cisco put them there for a raeson ...

 

 

Thx,

Philippe

Beginner

Re: Content of alt_names in DNAC certificate

Hi Philippe,

 

The Cisco Digital Network Architecture Center Administrator Guide states that "Importing a valid X.509 certificate from a well-known, certificate authority (CA) is recommended." With a public or well-known CA you will mostly not be able to issue the kong FQDNs or localhost.

 

But I have to say that I don't run DNAC in a cluster, so I don't know how it behaves there.

 

Best regards,

Johannes

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards