Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
0
Helpful
2
Replies

IP-based certificate subjects supported in Network Assistant?

Gordon Fecyk
Level 1
Level 1

‎11-11-2011 01:39 PM - edited ‎03-07-2019 03:20 AM

We have an internal certificate authority and I can make my switches use it for managing them via HTTPS (ip http secure-server) in both a regular browser and in Cisco Network Assistant.  I want CNA to work with our switches without certificate errors or warnings, so we're not conditioned to "always trust" untrusted https servers and trust some non-company server by mistake.

I can create and sign certificates generated by switches running IOS 12.2(55) and later.  When visited with a browser that has the internal CA certificate trusted, I can browse switches without certificate warnings or errors.  In Cisco Network Assistant, this is almost true, with only the CA certificate not trusted.  I can fix that by editing the database of trusted CA certs (packages / runtime-1.42 / security / cacerts); there are a few tools available for managing Java-based certificate databases.

The only remaining snag is when I try to build a community in CNA, CNA insists on connecting by IP address instead of by host name.  This is fine; the CA certificate server I use supports subject alternative names and my CA-trusting browser will accept all of these as valid:

https://switch.example.com

https://switch

https://10.10.10.254

CNA will accept the first two examples (switch.example.com and switch) but not the IP address.  It will complain that the host name does not match the certificate.

I know some hostname resolvers like to use different punctuation for IP-based browsing. Some prefer putting IPs in brackets and will resolve [10.10.10.254] instead of 10.10.10.254, for instance.  I tried adding both of these to the list of subject alternative names, without CNA accepting them. Is there a magic format that CNA uses that I can make a matching subject alternative name for?

A little searching revealed that Java https clients dislike IP-based URLs. Then how about building a community using hostnames instead of IP addresses?  I can't seem to do this; CNA will obtain the IPs and use those, and subsequently complain about every switch's certificate.

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-12-2011 05:38 PM

I haven't had this problem personally but wonder if it would help to create a local hosts file for the devices in question. It's worth a try.

Hope this helps....

0 Helpful

Gordon Fecyk
Level 1
Level 1
In response to Marvin Rhoads

‎11-12-2011 07:27 PM

DNS isn't a problem as I have our DNS servers reporting the correct IP addresses for those host names, and I have reverse DNS set up for the IPs.

I did find this:

http://www.jroller.com/hasant/entry/no_subject_alternative_names_matching

This says I shouldn't create a subject alternative name entry of "dns=10.10.0.254" but rather one of "ipaddress=10.10.0.254". I did this, and the certificate's subject alternative names did come up:

DNS Name=switch.example.com

DNS Name=switch

DNS Name=10.10.0.250

IP Address=10.10.0.250

The IP Address attribute is new. Again, my browser deals with it OK but CNA does not, complaining the host name does not match.

Perhaps there's a different attribute I need to add besides the san= attribute when I sign the switch's certificate request? The CA server is Windows Server 2003 R2 running Certificate Services.

0 Helpful
Customers Also Viewed These Support Documents