cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6604
Views
0
Helpful
2
Replies

Can I generate self signed certificates for Nexus 9K?

d-fillmore
Level 2
Level 2

Hi, I have 22 Nexus 9Ks that I've just upgraded to 7.0(3)I4 so I can use the REST API.

I'm using vRealize Orchestrator for automation, and I can't access the REST API on the Nexus using Orchestrator as the certificates have all expired.

I can't find very much info about this for the 9K, except if the 9Ks are in ACI mode, in which case I think TAC are the only people that can generate a certificate.

Does anyone know any other way around this? else I'll have to raise a TAC case to get 22 certs generated :-/

Cheers, Dom

1 Accepted Solution

Accepted Solutions

LJ Gabrillo
Level 5
Level 5

I am not familiar with the technology with what you are trying to integrate, but below is a guide on how to generate a custom SSC(Self-Signed Cert) on a device:
#conf t
#hostname DEVICE01                           -NOTE: Must not be changed
#ip domain-name test.local

#crypto key generate rsa general-keys label SSC_KEY modulus 2048

#crypto pki trustpoint SSC_LOCAL
   #subject-name CN=DEVICE,DC=test,DC=local 
   #enrollment selfsigned
   #revocation-check crl
   #rsakeypair SSC_KEY 2048

#crypto ca enroll SSC_LOCAL                -HIDDEN COMMAND: Initiate SSC Creation

   % Include the router serial number in the subject name? [yes/no]: no
   % Include an IP address in the subject name? [no]:
   % Generate Self Signed Router Certificate? [yes/no]: yes

   Router Self Signed Certificate successfully created


After this make sure you do NOT change the hostname of the device :) 

View solution in original post

2 Replies 2

LJ Gabrillo
Level 5
Level 5

I am not familiar with the technology with what you are trying to integrate, but below is a guide on how to generate a custom SSC(Self-Signed Cert) on a device:
#conf t
#hostname DEVICE01                           -NOTE: Must not be changed
#ip domain-name test.local

#crypto key generate rsa general-keys label SSC_KEY modulus 2048

#crypto pki trustpoint SSC_LOCAL
   #subject-name CN=DEVICE,DC=test,DC=local 
   #enrollment selfsigned
   #revocation-check crl
   #rsakeypair SSC_KEY 2048

#crypto ca enroll SSC_LOCAL                -HIDDEN COMMAND: Initiate SSC Creation

   % Include the router serial number in the subject name? [yes/no]: no
   % Include an IP address in the subject name? [no]:
   % Generate Self Signed Router Certificate? [yes/no]: yes

   Router Self Signed Certificate successfully created


After this make sure you do NOT change the hostname of the device :) 

Hi LJ, Thanks for your reply, but the trustpoint command is not available in NX-OS.

I raised this with TAC, the solution is to generate a cert using openssl and import it onto the device, however there is a bug which prevents the switch from being able to use the certificate - CSCva75989 - which I understand is fixed in 7.0(3)I4(4)

Once I've upgraded to this version and tried again I'll update this post for reference.

For information here is how to generate the cert off box using openssl;

http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

 

to install it on the switch;

ABC-N9K3-1(config)# nxapi certificate httpskey keyfile bootflash:key2.pem

Upload done. Please enable. Note cert and key must match.

ABC-N9K3-1(config)#  nxapi certificate httpscrt certfile bootflash:cert.pem

Upload done. Please enable. Note cert and key must match.

ABC-N9K3-1(config)# nxapi certificate enable

 

As noted this doesn't currently work but should do once the bug is fixed

Review Cisco Networking for a $25 gift card