cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for Cisco DNA Center Resources to help you on your journey with Cisco DNA Center

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

375
Views
0
Helpful
6
Replies
Beginner

DNAC Certificate - Authority "Self Signed"

Hi! I am trying to import a certificate to DNAC signed by our internal RootCA. I have followed the guide, but, it is still "self signed" according to DNAC. Guide: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1532a1635

 

I have made a PEM file with "Signed Cisco DNA Center certificate + subordinate CA + RootCA" in it. I can load the cert in correctly, but if I query the API for cert validation: https://dnac.xxxx.se/api/v1/certificate/validate

Response from API: "[SAN check failed, Certificate not signed by trusted CA]"

 

Can I import the RootCA cert in some way to get DNAC to trust my internal RootCA?

dnac_cert_hidden.png

 

Everyone's tags (2)
6 REPLIES 6
Cisco Employee

Re: DNAC Certificate - Authority "Self Signed"

Can you please open a TAC case for this so they can investigate?  If DNA Center indicated that your certificate was uploaded correctly, then it doesn't make sense that it isn't reflected by the system later on.

Beginner

Re: DNAC Certificate - Authority "Self Signed"

Hi! I opened a case via DNA Solution Support and got the response from them that it is a bug and also that there is no ETA on a fix: "There is indeed a bug id but hasn’t been yet released. There is no ETA for this fix yet. And yes, you can treat it as a cosmetic issue."

Re: DNAC Certificate - Authority "Self Signed"

I have the exact same issue and I'm not convinced that it is just a cosmetic issue. Have you tried connecting to your DNA Center on CLI and run any maglev commands? 

 

Like: maglev catalog settings display

 

For me this fails with the message: ERROR: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Cisco Employee

Re: DNAC Certificate - Authority "Self Signed"

Hi Torkel,
Please open a TAC case and see if they can give you a bug id.

Re: DNAC Certificate - Authority "Self Signed"

I found out what the issue was. I ended up reinstalling my DNAC and imported the certificate again. Still got the self-signed issue, but now all the maglev commands from CLI worked so that must have been a different problem.

 

Next I imported my AD Root certificate into the Trustpool and now everything works. I have not seen this step listed in the best practices guide, but for me at least it was needed. I would have thought that as long as you downloaded the whole cert chain it would automatically import the root certificate into the Trustpool, but it seems like it doesn't do that.

 

Anyway; it fixed my issue.

Cisco Employee

Re: DNAC Certificate - Authority "Self Signed"

Hi robo003c,

TAC is supposed to give you a bug id.  I suggest following up with the TAC engineer to ask for that.  If there is no bug id, then it's possible the request gets lost, and you'd end up waiting for nothing.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards