05-02-2018 10:40 AM - edited 03-01-2019 01:44 PM
Hello,
We have been requested to install custom certificates for our 3 Cisco APICs. We have followed this guide : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/basic-config/b_ACI_Config_Guide/b_ACI_Config_Guide_chapter_01.html#concept_BE099C0BD5154A4493AEBC8BE21D4E0D
As as we understand, we need to generate only 1 KeyRing and 1 Certificate for all 3 APICS. No need to have 3 different certificates, 1 is enough. However, as there are really 3 APICs, the subject of this single certificate can match either 1 APIC or none.
What would be the best practice about the custom certificate Subject and DNS entries for the 3 APICs? Our thinking is just keeping a generic Subject in the single Certificate we will use. This might show some alerts on the web browser, though.
What is your opinion or suggestion on this?
Solved! Go to Solution.
05-25-2018 12:58 AM
Hi everyone,
So, this is how this ended:
We generated only 1 KeyRing and 1 Certificate for all 3 APICS. Having more certificates is useless as all the APICs will present only 1 Certificate, no matter which APIC you hit.
So now we have 3 APICs, 3 URLs and only 1 certificate. The Web Browser will alert that the Certificate Common Name looks funny on the URL. As APIC does not support wildcars on the Certificate (says the documentation), an option would be to have a Certificate with SAN (Subject Alternate Name) to match all 3 APICs and be error-clear. Our CA does not use SAN, so we ended up just living with the Browser error.
Important things:
* Only 1 certificate generated for all APICs. No wildcard on the Subject. We used the hostname of the first APIC
* We could have had the SAN option on the certificate, to match all APICs. For us, this was not possible
* Live with the small Brower Error.
Hope this helps. Any opinion or comment is welcome.
05-24-2018 07:58 AM
05-25-2018 12:43 AM
Hello,
I am no expert here, but I would say that no, you cannot generate Self-Signed certificates from the APIC.
They use by default a self-signed certificate (shipped with the APICs), they all will present the same no matter which APIC you query.
If you have a CA in your domain, you can have that CA to generate the certificate (for that, follow the guide mentioned on the first post). If not, I am affraid you will have to use the existent self-signed certificate. As I have tested it, all APICs in a Fabric will present only 1 Certificate, no matter which APIC you hit.
Hope it helps.
05-25-2018 12:58 AM
Hi everyone,
So, this is how this ended:
We generated only 1 KeyRing and 1 Certificate for all 3 APICS. Having more certificates is useless as all the APICs will present only 1 Certificate, no matter which APIC you hit.
So now we have 3 APICs, 3 URLs and only 1 certificate. The Web Browser will alert that the Certificate Common Name looks funny on the URL. As APIC does not support wildcars on the Certificate (says the documentation), an option would be to have a Certificate with SAN (Subject Alternate Name) to match all 3 APICs and be error-clear. Our CA does not use SAN, so we ended up just living with the Browser error.
Important things:
* Only 1 certificate generated for all APICs. No wildcard on the Subject. We used the hostname of the first APIC
* We could have had the SAN option on the certificate, to match all APICs. For us, this was not possible
* Live with the small Brower Error.
Hope this helps. Any opinion or comment is welcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide