cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
963
Views
10
Helpful
4
Replies
Highlighted
Beginner

DNAC Certificate Exchange causes Switch DNAC to fail to validate the certificate

Hello everybody,

 

after migrating my network equipment to Cisco DNAC I've changed the server certificate. After that, I can no longer initiate IOS updates with DNAC.

 

Error Message:

Failed to submit schedule - Creating a task schedule failed: Failed to validate "Create Distribute Task" scheduled to run at May 20, 2019 10:30 PM CEST: javax.net.ssl.SSLPeerUnverifiedException: Host name '10.xxx.xxx.xxx' does not match the certificate subject provided by the peer (C=US, ST=CA, O=Test, OU=Test, CN=dna.test.intra)

 

How can I replace the PKI Trustpoint on the switches? Is there any chance to push it via the DNAC without discovering the whole campus again?

 

Best regards,

Johannes

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

You should be able to use Template Editor to push the configs to your NADs. This will save you the time of discovering everything again. Just make sure then you setup your template to save & commit. Then re-provision your NADs and ensure that you check to apply your template so the configs are updated. HTH!

View solution in original post

4 REPLIES 4
Highlighted
VIP Engager

You should be able to use Template Editor to push the configs to your NADs. This will save you the time of discovering everything again. Just make sure then you setup your template to save & commit. Then re-provision your NADs and ensure that you check to apply your template so the configs are updated. HTH!

View solution in original post

Highlighted

Hi Mike,

 

thank you for your support. That's the way we'll do it.

 

For anyone who needs this template in the future, here's my syntax:

 

<MLTCMD>
crypto pki authenticate DNAC-CA
-----BEGIN CERTIFICATE-----
... Insert the certificate ...
-----END CERTIFICATE-----
quit
yes
</MLTCMD>

Highlighted

Hi, 

Do you know how we can extract the default certificate from DNA Centre? Where is it stored?

Highlighted

Hi sherazmalik,

 

you can extract the server certificate directly from the browser.

 

If you want to extract the certificate from the switch you can connect via cli and cut out the part after certificate ca 00xxxxxxxxxxxx96 and save it on a system where OpenSSL is installed ((e.g. DNAC)) as file switch.hex


This certificate can now be converted into the PEM format.

 

cat switch.hex | tr -d ' ' | xxd -r -p -c 32 | openssl x509 -inform der -out switch.pem

In switch.pem the certificate information is then in PEM format.

 

This can also be read out via OpenSSL:

 

openssl x509 -in switch.pem -text -noout

Alternatively, you can rename the file to the extension .cer and drag it to a Windows computer. Here the file can then be opened with the Windows crypto-shell extension.