Solved: Certificates for Cisco APICs, 1 certificate for all 3?

jose.tamayo.segarra · ‎05-02-2018

Hello,

We have been requested to install custom certificates for our 3 Cisco APICs. We have followed this guide : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/basic-config/b_ACI_Config_Guide/b_ACI_Config_Guide_chapter_01.html#concept_BE099C0BD5154A4493AEBC8BE21D4E0D

As as we understand, we need to generate only 1 KeyRing and 1 Certificate for all 3 APICS. No need to have 3 different certificates, 1 is enough. However, as there are really 3 APICs, the subject of this single certificate can match either 1 APIC or none.

What would be the best practice about the custom certificate Subject and DNS entries for the 3 APICs? Our thinking is just keeping a generic Subject in the single Certificate we will use. This might show some alerts on the web browser, though.

What is your opinion or suggestion on this?

jose.tamayo.segarra · ‎05-25-2018

Hi everyone,

So, this is how this ended:

We generated only 1 KeyRing and 1 Certificate for all 3 APICS. Having more certificates is useless as all the APICs will present only 1 Certificate, no matter which APIC you hit.

So now we have 3 APICs, 3 URLs and only 1 certificate. The Web Browser will alert that the Certificate Common Name looks funny on the URL. As APIC does not support wildcars on the Certificate (says the documentation), an option would be to have a Certificate with SAN (Subject Alternate Name) to match all 3 APICs and be error-clear. Our CA does not use SAN, so we ended up just living with the Browser error.

Important things:

* Only 1 certificate generated for all APICs. No wildcard on the Subject. We used the hostname of the first APIC

* We could have had the SAN option on the certificate, to match all APICs. For us, this was not possible

* Live with the small Brower Error.

Hope this helps. Any opinion or comment is welcome.

View solution in original post

bergamok · ‎05-24-2018

Hello Jose,
Did you find a solution for the problem? I have the same doubts.

I have been asked to create different certificates for each APIC, in order to discover the ACI network with HP NNMi.
My problem is that I cannot create self signed certificates. Do you know if that is possible?
thanks

jose.tamayo.segarra · ‎05-25-2018

Hello,

I am no expert here, but I would say that no, you cannot generate Self-Signed certificates from the APIC.

They use by default a self-signed certificate (shipped with the APICs), they all will present the same no matter which APIC you query.

If you have a CA in your domain, you can have that CA to generate the certificate (for that, follow the guide mentioned on the first post). If not, I am affraid you will have to use the existent self-signed certificate. As I have tested it, all APICs in a Fabric will present only 1 Certificate, no matter which APIC you hit.

Hope it helps.

jose.tamayo.segarra · ‎05-25-2018

Hi everyone,

So, this is how this ended:

We generated only 1 KeyRing and 1 Certificate for all 3 APICS. Having more certificates is useless as all the APICs will present only 1 Certificate, no matter which APIC you hit.

So now we have 3 APICs, 3 URLs and only 1 certificate. The Web Browser will alert that the Certificate Common Name looks funny on the URL. As APIC does not support wildcars on the Certificate (says the documentation), an option would be to have a Certificate with SAN (Subject Alternate Name) to match all 3 APICs and be error-clear. Our CA does not use SAN, so we ended up just living with the Browser error.

Important things:

* Only 1 certificate generated for all APICs. No wildcard on the Subject. We used the hostname of the first APIC

* We could have had the SAN option on the certificate, to match all APICs. For us, this was not possible

* Live with the small Brower Error.

Hope this helps. Any opinion or comment is welcome.