Cisco Community
English
Register
Welcome Cisco Designated VIP 2021 Class in the 10th Year Anniversary of the Program -- CHECK THE LIST
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!

Register for the monthly Cisco DNA Center Ask the Expert Sessions to learn about Cisco DNA Center configuration and deployment.
4814
Views
5
Helpful
2
Replies
Highlighted
Tim_J_RC
Beginner
Beginner
‎04-30-2019 09:05 AM
‎04-30-2019 09:05 AM

New cert installation in DNA Center

I have been struggling the past few days with installing a new CA signed certificate onto my DNA Center server.   First I tried using the API method, but it failed.   Even though I had a 2 year cert, the API method was saying it was less than a 2 year cert.  I went to the OpenSSL method following the steps in the Cisco Digital Network Architecture Center Security Best Practices Guide.

 

Everything went well until I received my certificate from Thawte, and started on this step

Step 7

Download the certificate (full chain) with DER format and name it dnac-chain.p7b.

Step 8

Copy dnac-chain.p7b that you downloaded in the preceding step to the Cisco DNA Center cluster through SSH.

Step 9

Enter the following command:

openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

 

I already receive a .p7b from Thawte, but when I run the command in Step 9, I get the following

$ openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs
unable to load PKCS7 object
140373772969624:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1217:
140373772969624:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=PKCS7

 

Any thoughts before I open a case with TAC?

 

 

Labels:
1 person had this problem
0 Helpful
Reply
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Farhan Mohamed
Cisco Employee
Cisco Employee
‎05-22-2019 02:03 PM
‎05-22-2019 02:03 PM

CA Signed certificates has to be signed from same CA, I have couple of information to do this step correctly, Please check this link for Open SSL and API method for adding certificates: www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1214a1635

If you are getting some error in .p7b error, Please follow the steps in this link:-

support.citrix.com/article/CTX124429/

Let me know if any issue arises, we can have more discussion on webex.

View solution in original post

Reply
Highlighted
Tim_J_RC
Beginner
Beginner
In response to Farhan Mohamed
‎05-28-2019 07:21 AM
‎05-28-2019 07:21 AM

Thank you Farhan. 

     I had opened a case with Cisco TAC, and we were able to resolve the issue.   Thank you for your response on this.

 

 

 

View solution in original post

0 Helpful
Reply
2 REPLIES 2
Highlighted
Farhan Mohamed
Cisco Employee
Cisco Employee
‎05-22-2019 02:03 PM
‎05-22-2019 02:03 PM

CA Signed certificates has to be signed from same CA, I have couple of information to do this step correctly, Please check this link for Open SSL and API method for adding certificates: www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1214a1635

If you are getting some error in .p7b error, Please follow the steps in this link:-

support.citrix.com/article/CTX124429/

Let me know if any issue arises, we can have more discussion on webex.

View solution in original post

Reply
Highlighted
Tim_J_RC
Beginner
Beginner
In response to Farhan Mohamed
‎05-28-2019 07:21 AM
‎05-28-2019 07:21 AM

Thank you Farhan. 

     I had opened a case with Cisco TAC, and we were able to resolve the issue.   Thank you for your response on this.

 

 

 

View solution in original post

0 Helpful
Reply
Latest Contents
A Quick Look at Cisco Catalyst PON Series
Created by szeya on 01-26-2021 02:20 PM
0
0
0
0
What is PON ? A Passive Optical Network (PON) is a point-to-multipoint architecture which use a single strand of single mode fiber to deliver voice, video, data to several users (or devices). PON network uses passive splitters in the optical distribution ... view more
MACsec History & Termonology
Created by Timothy Glen on 01-26-2021 01:00 PM
0
0
0
0
This will be the first in a series of documents I write on MACsec. Some of the other topics I’ll be writing are: As the configuration will become increasingly complex, I suggest you read them in order.   Configuring MACsec Switch to Switch with Pre-... view more
#CiscoChat Live - 5 Key Networking Trends to successfully na...
Created by Kelli Glass on 01-26-2021 11:41 AM
0
5
0
5
Join us live on Thursday, January 28 at 10 am PT (and on demand after) as we dive into the 5 key networking trends for workforce, workplace, workload and operations resilience. We will highlight findings of the 2021 Global Networking Trends Report an... view more
#CiscoChat Live - 5 Key Networking Trends to successfully na...
Created by Kelli Glass on 01-26-2021 11:39 AM
0
0
0
0
Join us live on Thursday, January 28 at 10 am PT (and on demand after) as we dive into the 5 key networking trends for workforce, workplace, workload and operations resilience. We will highlight findings of the 2021 Global Networking Trends Report an... view more
Logicalis UK creatively increases SD-WAN service deployment ...
Created by jjoyal on 01-22-2021 12:17 PM
0
0
0
0
  In the last year, we’ve seen substantial changes in how enterprises conduct business. When the pandemic hit, it exposed gaps in business continuity plans, and it showcased the need to quickly deploy and remotely manage secure connections. ngena pr... view more
Content for Community-Ad
Ask the Experts
Follow our Social Media Channels