cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1177
Views
0
Helpful
1
Replies

Nexus 9000 NX-API

davidclin
Level 1
Level 1

What  is the mechanism to secure the workstation to NXAPI on the Nexus 9000 running in NX-OS mode?

How do you load certificates on the Nexus 9000?

Python_Example(config)# nxapi certificate enable
Nginx certificate invalid.

Thanks

 

 

1 Reply 1

Andrew Devine
Level 1
Level 1

Hi,

 

I had this issue also when using our internal PKI and openssl, I believe it is down to the private key being encrypted with a passphrase. 

 

You need to have the certificate private key unencrypted.

To remove the private key password follow this procedure:
1.Copy the private key file into your OpenSSL directory (or you can specify the path in the command line).
  
2.Run this command using OpenSSL: 
openssl rsa -in [file1.key] -out [file2.key]


 Enter the passphrase and [file2.key] is now the unprotected private key.

The output file:  [file2.key] should be unencrypted. To verify this open the file using a text editor (such as MS Notepad) and view the headers.

 Encrypted headers look like this:

 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,


 6AC307785DD187EF...
 -----END RSA PRIVATE KEY-----


 Unencrypted headers look like this:

 -----BEGIN RSA PRIVATE KEY-----
 6AC307785DD187EF...
 -----END RSA PRIVATE KEY-----

 

I did all of this in bash on the switch (feature bash-shell) so you're keeping the keys on the box.

 

Once you have the unencrypted key and certificate chain you can then import:-

 

       - nxapi certificate httpscrt certfile bootflash:///cert_chain.crt

       - nxapi certificate httpskey keyfile bootflash:///cleartext_key.key

       - nxapi certificate enable

 

Related bug https://quickview.cloudapps.cisco.com/quickview/bug/CSCva75989

 

Hope this helps.

 

Review Cisco Networking for a $25 gift card