cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7480
Views
5
Helpful
2
Replies
Tim_J_RC
Beginner

New cert installation in DNA Center

I have been struggling the past few days with installing a new CA signed certificate onto my DNA Center server.   First I tried using the API method, but it failed.   Even though I had a 2 year cert, the API method was saying it was less than a 2 year cert.  I went to the OpenSSL method following the steps in the Cisco Digital Network Architecture Center Security Best Practices Guide.

 

Everything went well until I received my certificate from Thawte, and started on this step

Step 7

Download the certificate (full chain) with DER format and name it dnac-chain.p7b.

Step 8

Copy dnac-chain.p7b that you downloaded in the preceding step to the Cisco DNA Center cluster through SSH.

Step 9

Enter the following command:

openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs

 

I already receive a .p7b from Thawte, but when I run the command in Step 9, I get the following

$ openssl pkcs7 -in dnac-chain.p7b -inform DER -out dnac-chain.pem -print_certs
unable to load PKCS7 object
140373772969624:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1217:
140373772969624:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=PKCS7

 

Any thoughts before I open a case with TAC?

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Farhan Mohamed
Cisco Employee

CA Signed certificates has to be signed from same CA, I have couple of information to do this step correctly, Please check this link for Open SSL and API method for adding certificates: www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1214a1635

If you are getting some error in .p7b error, Please follow the steps in this link:-

support.citrix.com/article/CTX124429/

Let me know if any issue arises, we can have more discussion on webex.

View solution in original post

Thank you Farhan. 

     I had opened a case with Cisco TAC, and we were able to resolve the issue.   Thank you for your response on this.

 

 

 

View solution in original post

2 REPLIES 2
Farhan Mohamed
Cisco Employee

CA Signed certificates has to be signed from same CA, I have couple of information to do this step correctly, Please check this link for Open SSL and API method for adding certificates: www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e1214a1635

If you are getting some error in .p7b error, Please follow the steps in this link:-

support.citrix.com/article/CTX124429/

Let me know if any issue arises, we can have more discussion on webex.

View solution in original post

Thank you Farhan. 

     I had opened a case with Cisco TAC, and we were able to resolve the issue.   Thank you for your response on this.

 

 

 

View solution in original post