after migrating my network equipment to Cisco DNAC I've changed the server certificate. After that, I can no longer initiate IOS updates with DNAC.
Failed to submit schedule - Creating a task schedule failed: Failed to validate "Create Distribute Task" scheduled to run at May 20, 2019 10:30 PM CEST: javax.net.ssl.SSLPeerUnverifiedException: Host name '10.xxx.xxx.xxx' does not match the certificate subject provided by the peer (C=US, ST=CA, O=Test, OU=Test, CN=dna.test.intra)
How can I replace the PKI Trustpoint on the switches? Is there any chance to push it via the DNAC without discovering the whole campus again?
Solved! Go to Solution.
thank you for your support. That's the way we'll do it.
For anyone who needs this template in the future, here's my syntax:
crypto pki authenticate DNAC-CA
... Insert the certificate ...
you can extract the server certificate directly from the browser.
If you want to extract the certificate from the switch you can connect via cli and cut out the part after certificate ca 00xxxxxxxxxxxx96 and save it on a system where OpenSSL is installed ((e.g. DNAC)) as file switch.hex
This certificate can now be converted into the PEM format.
cat switch.hex | tr -d ' ' | xxd -r -p -c 32 | openssl x509 -inform der -out switch.pem
In switch.pem the certificate information is then in PEM format.
This can also be read out via OpenSSL:
openssl x509 -in switch.pem -text -noout
Alternatively, you can rename the file to the extension .cer and drag it to a Windows computer. Here the file can then be opened with the Windows crypto-shell extension.