Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4482
Views
0
Helpful
6
Replies

DNAC Certificate - Authority "Self Signed"

robo0003c
Level 1
Level 1

‎08-14-2019 02:57 AM

Hi! I am trying to import a certificate to DNAC signed by our internal RootCA. I have followed the guide, but, it is still "self signed" according to DNAC. Guide: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1532a1635

 

I have made a PEM file with "Signed Cisco DNA Center certificate + subordinate CA + RootCA" in it. I can load the cert in correctly, but if I query the API for cert validation: https://dnac.xxxx.se/api/v1/certificate/validate

Response from API: "[SAN check failed, Certificate not signed by trusted CA]"

 

Can I import the RootCA cert in some way to get DNAC to trust my internal RootCA?

dnac_cert_hidden.png

 

Labels:
0 Helpful
6 Replies 6

Preston Chilcote
Cisco Employee
Cisco Employee

‎08-14-2019 11:35 AM

Can you please open a TAC case for this so they can investigate?  If DNA Center indicated that your certificate was uploaded correctly, then it doesn't make sense that it isn't reflected by the system later on.

0 Helpful

robo0003c
Level 1
Level 1
In response to Preston Chilcote

‎09-16-2019 03:08 AM

Hi! I opened a case via DNA Solution Support and got the response from them that it is a bug and also that there is no ETA on a fix: "There is indeed a bug id but hasn’t been yet released. There is no ETA for this fix yet. And yes, you can treat it as a cosmetic issue."

0 Helpful

torkel-mathisen
Level 1
Level 1
In response to robo0003c

‎09-24-2019 11:58 PM

I have the exact same issue and I'm not convinced that it is just a cosmetic issue. Have you tried connecting to your DNA Center on CLI and run any maglev commands? 

 

Like: maglev catalog settings display

 

For me this fails with the message: ERROR: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee
In response to torkel-mathisen

‎09-25-2019 09:05 AM

Hi Torkel,
Please open a TAC case and see if they can give you a bug id.
0 Helpful

torkel-mathisen
Level 1
Level 1
In response to Preston Chilcote

‎09-30-2019 04:43 AM

I found out what the issue was. I ended up reinstalling my DNAC and imported the certificate again. Still got the self-signed issue, but now all the maglev commands from CLI worked so that must have been a different problem.

 

Next I imported my AD Root certificate into the Trustpool and now everything works. I have not seen this step listed in the best practices guide, but for me at least it was needed. I would have thought that as long as you downloaded the whole cert chain it would automatically import the root certificate into the Trustpool, but it seems like it doesn't do that.

 

Anyway; it fixed my issue.

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee
In response to robo0003c

‎09-25-2019 09:04 AM

Hi robo003c,

TAC is supposed to give you a bug id.  I suggest following up with the TAC engineer to ask for that.  If there is no bug id, then it's possible the request gets lost, and you'd end up waiting for nothing.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents