cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2675
Views
10
Helpful
4
Replies

DNAC Certificate Exchange causes Switch DNAC to fail to validate the certificate

Johannes_Grimm
Level 1
Level 1

Hello everybody,

 

after migrating my network equipment to Cisco DNAC I've changed the server certificate. After that, I can no longer initiate IOS updates with DNAC.

 

Error Message:

Failed to submit schedule - Creating a task schedule failed: Failed to validate "Create Distribute Task" scheduled to run at May 20, 2019 10:30 PM CEST: javax.net.ssl.SSLPeerUnverifiedException: Host name '10.xxx.xxx.xxx' does not match the certificate subject provided by the peer (C=US, ST=CA, O=Test, OU=Test, CN=dna.test.intra)

 

How can I replace the PKI Trustpoint on the switches? Is there any chance to push it via the DNAC without discovering the whole campus again?

 

Best regards,

Johannes

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
You should be able to use Template Editor to push the configs to your NADs. This will save you the time of discovering everything again. Just make sure then you setup your template to save & commit. Then re-provision your NADs and ensure that you check to apply your template so the configs are updated. HTH!

View solution in original post

4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni
You should be able to use Template Editor to push the configs to your NADs. This will save you the time of discovering everything again. Just make sure then you setup your template to save & commit. Then re-provision your NADs and ensure that you check to apply your template so the configs are updated. HTH!

Hi Mike,

 

thank you for your support. That's the way we'll do it.

 

For anyone who needs this template in the future, here's my syntax:

 

<MLTCMD>
crypto pki authenticate DNAC-CA
-----BEGIN CERTIFICATE-----
... Insert the certificate ...
-----END CERTIFICATE-----
quit
yes
</MLTCMD>

Hi, 

Do you know how we can extract the default certificate from DNA Centre? Where is it stored?

Hi sherazmalik,

 

you can extract the server certificate directly from the browser.

 

If you want to extract the certificate from the switch you can connect via cli and cut out the part after certificate ca 00xxxxxxxxxxxx96 and save it on a system where OpenSSL is installed ((e.g. DNAC)) as file switch.hex


This certificate can now be converted into the PEM format.

 

cat switch.hex | tr -d ' ' | xxd -r -p -c 32 | openssl x509 -inform der -out switch.pem

In switch.pem the certificate information is then in PEM format.

 

This can also be read out via OpenSSL:

 

openssl x509 -in switch.pem -text -noout

Alternatively, you can rename the file to the extension .cer and drag it to a Windows computer. Here the file can then be opened with the Windows crypto-shell extension.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: