10-03-2016 06:49 AM
Hi, I have 22 Nexus 9Ks that I've just upgraded to 7.0(3)I4 so I can use the REST API.
I'm using vRealize Orchestrator for automation, and I can't access the REST API on the Nexus using Orchestrator as the certificates have all expired.
I can't find very much info about this for the 9K, except if the 9Ks are in ACI mode, in which case I think TAC are the only people that can generate a certificate.
Does anyone know any other way around this? else I'll have to raise a TAC case to get 22 certs generated :-/
Cheers, Dom
Solved! Go to Solution.
10-17-2016 09:52 PM
I am not familiar with the technology with what you are trying to integrate, but below is a guide on how to generate a custom SSC(Self-Signed Cert) on a device:
#conf t
#hostname DEVICE01 -NOTE: Must not be changed
#ip domain-name test.local
#crypto key generate rsa general-keys label SSC_KEY modulus 2048
#crypto pki trustpoint SSC_LOCAL
#subject-name CN=DEVICE,DC=test,DC=local
#enrollment selfsigned
#revocation-check crl
#rsakeypair SSC_KEY 2048
#crypto ca enroll SSC_LOCAL -HIDDEN COMMAND: Initiate SSC Creation
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
% Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
After this make sure you do NOT change the hostname of the device :)
10-17-2016 09:52 PM
I am not familiar with the technology with what you are trying to integrate, but below is a guide on how to generate a custom SSC(Self-Signed Cert) on a device:
#conf t
#hostname DEVICE01 -NOTE: Must not be changed
#ip domain-name test.local
#crypto key generate rsa general-keys label SSC_KEY modulus 2048
#crypto pki trustpoint SSC_LOCAL
#subject-name CN=DEVICE,DC=test,DC=local
#enrollment selfsigned
#revocation-check crl
#rsakeypair SSC_KEY 2048
#crypto ca enroll SSC_LOCAL -HIDDEN COMMAND: Initiate SSC Creation
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
% Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
After this make sure you do NOT change the hostname of the device :)
10-27-2016 02:23 AM
Hi LJ, Thanks for your reply, but the trustpoint command is not available in NX-OS.
I raised this with TAC, the solution is to generate a cert using openssl and import it onto the device, however there is a bug which prevents the switch from being able to use the certificate - CSCva75989 - which I understand is fixed in 7.0(3)I4(4)
Once I've upgraded to this version and tried again I'll update this post for reference.
For information here is how to generate the cert off box using openssl;
http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
to install it on the switch;
ABC-N9K3-1(config)# nxapi certificate httpskey keyfile bootflash:key2.pem
Upload done. Please enable. Note cert and key must match.
ABC-N9K3-1(config)# nxapi certificate httpscrt certfile bootflash:cert.pem
Upload done. Please enable. Note cert and key must match.
ABC-N9K3-1(config)# nxapi certificate enable
As noted this doesn't currently work but should do once the bug is fixed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide