02-20-2023 10:27 AM
Greetings!
I am trying to create and issue an certificate for my Cisco C9300s. When we access our secure webserver for the switch it says it is not secure. We connect with https://ipaddress. I am using this How To to get it to work. Issue is when I import the Web Server certificate from my CA for the switch and go to the webpage it still say the connection is insecure and the certificate isn't valid event though the Cert came from the CA.
ON the CN for the subject-name I can set the hostname or the IP. For the SAN I can't set the IP. I can only set a name.
I set the CN as the IP and that still doesn't say it is secure. What am I missing?
02-20-2023 12:44 PM
You can use wild card certificate, and make DNS Enry for that switch. Make sure your browser also have same certificate installed.
02-20-2023 12:46 PM
Can you give me directions on doing that?
03-10-2023 06:21 AM
I am going to lay out we do not use OpenSSL as we are not allowed to. WE have to use our on network CA. For the CN I have set the CN to the IP address of the certificate. For the SAN Cisco has a separate commands that says ip-address which adds the address and there I have a different command called subject-name-alternative of which I can't add an IP address to that command as it is not allowed. So what I find I can do the following:
CN can be the following:
SAN (Subject-Name-Alternative can be the following:
IP address can be added or not
Tried a mixture of all those things and it is still telling me the certificate is invalid on EDGE with the error: NET::ERR_CERT_COMMON_NAME_INVALID. If you look at the certificate from Edge it shows the same certificate if I open it on its own with the same fingerprints.
So what should the CN be when accessing it from the IP address using Edge?
03-10-2023 06:39 AM - edited 03-10-2023 06:50 AM
Also when doing the following to make the CSR I add the IP Address line. But when I look at the certificate it doesn't look like the IP address is added to the SAN. In fact the certificate does not have a SAN at all. It looks like something is getting lost in translation.
crypto pki trustpoint my-trustpoint enrollment terminal pem subject-name C=US, ST=Pennsylvania, L=My-Town, O=My-Org, OU=My-Department, CN=My-Switch.my-network.com subject-alt-name my-switch.my-network.com serial-number none ip-address 192.168.1.51 revocation-check none rsakeypair my-4096rsa-key end
Any idea why it isn't including the IP address into the SAN?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide