07-18-2019 10:31 AM
Dear All,
I am checking to create a certificate for DNAC (System Settings - Certificate). I usually use this guide "Cisco Digital Network Architecture Center Security Best Practices Guide" (https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html).
In the CA alt_names,i can see that Cisco mentions :
DNS.1 = FQDN-of-Cisco-DNA-Center-on-GUI-port DNS.1 = FQDN-of-Cisco-DNA-Center-on-enterprise-port DNS.2 = pnpserver.DomainAssignedByDHCPDuringPnP.tld + all IP of DNAC
However, if i check a self signed certificate froma new installed 1.3 i can see the following:
DNS name=localhost DNS name=kong DNS name=kong.maglev-system DNS name=kong.maglev-system.svc DNS name=kong.maglev-system.svc.cluster DNS name=kong.maglev-system.svc.cluster.local DNS name=kong-frontend DNS name=kong-frontend.maglev-system DNS name=kong-frontend.maglev-system.svc DNS name=kong-frontend.maglev-system.svc.cluster DNS name=kong-frontend.maglev-system.svc.cluster.local IP Address= ALL IP of DNAC
As you can see there are localhost + all sort of kong stuff. but no mention of these ones in the security guide ...
Do you know if we need to add these kong & localhost when creating a new certificate or it won't be used for the GUI of DNAC ?
Thx,
Philippe
07-18-2019 11:41 PM
Hi Philippe,
I can only speak from my experience. I have issued the certificate without attributes like localhost and these services domain names and everything continues to work fine. You only have to make sure that the IP address attributes are present in addition to the DNS attributes. Otherwise services like Plug and Play won't work properly anymore.
I also added the attributes of the cluster IP Adresses. But I'm not sure if this is really necessary.
Best regards,
Johannes
07-19-2019 12:15 AM
Hello Johannes,
Thx for your feedback. It's also what i did on 3 another DNACs ... but wanted to be sure that there is no impact if we remove the kong ... and i guess/hope/suppose cisco put them there for a raeson ...
Thx,
Philippe
07-19-2019 12:38 AM
Hi Philippe,
The Cisco Digital Network Architecture Center Administrator Guide states that "Importing a valid X.509 certificate from a well-known, certificate authority (CA) is recommended." With a public or well-known CA you will mostly not be able to issue the kong FQDNs or localhost.
But I have to say that I don't run DNAC in a cluster, so I don't know how it behaves there.
Best regards,
Johannes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide