Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
10
Helpful
3
Replies

Content of alt_names in DNAC certificate

Philippe Hemmer
Level 1
Level 1

‎07-18-2019 10:31 AM

Dear All,

 

I am checking to create a certificate for DNAC (System Settings - Certificate). I usually use this guide "Cisco Digital Network Architecture Center Security Best Practices Guide" (https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html).

 

In the CA alt_names,i can see that Cisco mentions :

DNS.1 = FQDN-of-Cisco-DNA-Center-on-GUI-port
DNS.1 = FQDN-of-Cisco-DNA-Center-on-enterprise-port
DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld
+ all IP of DNAC

However, if i check a self signed certificate froma new installed 1.3 i can see the following: 

 

DNS name=localhost
DNS name=kong
DNS name=kong.maglev-system
DNS name=kong.maglev-system.svc
DNS name=kong.maglev-system.svc.cluster
DNS name=kong.maglev-system.svc.cluster.local
DNS name=kong-frontend
DNS name=kong-frontend.maglev-system
DNS name=kong-frontend.maglev-system.svc
DNS name=kong-frontend.maglev-system.svc.cluster
DNS name=kong-frontend.maglev-system.svc.cluster.local
IP Address= ALL IP of DNAC

As you can see there are localhost + all sort of kong stuff. but no mention of these ones in the security guide ...

 

Do you know if we need to add these kong & localhost when creating a new certificate or it won't be used for the GUI of DNAC ?

 

Thx,

Philippe

Labels:
3 Replies 3

Johannes_Grimm
Level 1
Level 1

‎07-18-2019 11:41 PM

Hi Philippe,

 

I can only speak from my experience. I have issued the certificate without attributes like localhost and these services domain names and everything continues to work fine. You only have to make sure that the IP address attributes are present in addition to the DNS attributes. Otherwise services like Plug and Play won't work properly anymore.

 

I also added the attributes of the cluster IP Adresses. But I'm not sure if this is really necessary.

 

Best regards,

Johannes

Philippe Hemmer
Level 1
Level 1
In response to Johannes_Grimm

‎07-19-2019 12:15 AM

Hello Johannes,

 

Thx for your feedback. It's also what i did on 3 another DNACs ... but wanted to be sure that there is no impact if we remove the kong ... and i guess/hope/suppose cisco put them there for a raeson ...

 

 

Thx,

Philippe

0 Helpful

Johannes_Grimm
Level 1
Level 1
In response to Philippe Hemmer

‎07-19-2019 12:38 AM

Hi Philippe,

 

The Cisco Digital Network Architecture Center Administrator Guide states that "Importing a valid X.509 certificate from a well-known, certificate authority (CA) is recommended." With a public or well-known CA you will mostly not be able to issue the kong FQDNs or localhost.

 

But I have to say that I don't run DNAC in a cluster, so I don't know how it behaves there.

 

Best regards,

Johannes

0 Helpful
Customers Also Viewed These Support Documents