Re: Adding an internal Proxy CA certificate to Prime

Scott Gillies · ‎07-08-2020

Hi

I need to configure an internal Proxy to allow direct access to Cisco to download Prime updates and appliance software Images.

To do this I need to import the CA Certificate that is used to sign the certificate presented by our internal Proxy.

How do I import the CA Certificate and to which store should the CA Cert be added?

Thanks in advance.

marce1000 · ‎07-08-2020

Ref : https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-4/admin/guide/bk_CiscoPrimeInfastructure_3_4_AdminGuide/bk_CiscoPrimeInfastructure_3_4_AdminGuide_chapter_011.html#task_1171135

I don't think Prime supports this functionality ; checkout the the menu-options in the link referenced and verify what is possible.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Gillies · ‎07-09-2020

Hi

I have configured the Proxy on Prime and the 'Test Connectivity' is successful.

But when I try the 'download' option under Administration > Software Updates and enter my CCO credentials I get the following error

My firewall/proxy support has captured the issue and has told me it is a certificate issue - the Proxy certificate is not trusted by Prime. So we believe that it is because the Proxy's signing root CA cert is not installed in the correct Prime certificate store.

There are 4 possible stores:

<hostname>/admin# ncs certvalidation trusted-ca listcacerts truststore ?
devicemgmt Trust store used for validating cert from managed devices
pubnet Trust store used for validating cert from public internet
system Trust store used for validating cert from other peer systems
user Trust store used for validating cert for user login

I am assuming that the CA cert should go in either system or pubnet but either requires a reboot.
Should I just import to both?