cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!

Register for the monthly Cisco DNA Center Ask the Expert Sessions to learn about Cisco DNA Center configuration and deployment.
4273
Views
5
Helpful
2
Replies
Highlighted
Beginner

New cert installation in DNA Center

I have been struggling the past few days with installing a new CA signed certificate onto my DNA Center server.   First I tried using the API method, but it failed.   Even though I had a 2 year cert, the API method was saying it was less than a 2 year cert.  I went to the OpenSSL method following the steps in the Cisco Digital Network Architecture Center Security Best Practices Guide.

 

Everything went well until I received my certificate from Thawte, and started on this step

Step 7

Download the certificate (full chain) with DER format and name it dnac-chain.p7b.

Step 8

Copy dnac-chain.p7b that you downloaded in the preceding step to the Cisco DNA Center cluster through SSH.

Step 9

Enter the following command:

openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

 

I already receive a .p7b from Thawte, but when I run the command in Step 9, I get the following

$ openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs
unable to load PKCS7 object
140373772969624:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1217:
140373772969624:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=PKCS7

 

Any thoughts before I open a case with TAC?

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

CA Signed certificates has to be signed from same CA, I have couple of information to do this step correctly, Please check this link for Open SSL and API method for adding certificates: www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1214a1635

If you are getting some error in .p7b error, Please follow the steps in this link:-

support.citrix.com/article/CTX124429/

Let me know if any issue arises, we can have more discussion on webex.

View solution in original post

Highlighted

Thank you Farhan. 

     I had opened a case with Cisco TAC, and we were able to resolve the issue.   Thank you for your response on this.

 

 

 

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

CA Signed certificates has to be signed from same CA, I have couple of information to do this step correctly, Please check this link for Open SSL and API method for adding certificates: www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1214a1635

If you are getting some error in .p7b error, Please follow the steps in this link:-

support.citrix.com/article/CTX124429/

Let me know if any issue arises, we can have more discussion on webex.

View solution in original post

Highlighted

Thank you Farhan. 

     I had opened a case with Cisco TAC, and we were able to resolve the issue.   Thank you for your response on this.

 

 

 

View solution in original post

Content for Community-Ad