Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
4
Replies

Creating a Certificate For C9300 Web Page

IES Sys Admin
Level 1
Level 1

‎02-20-2023 10:27 AM

Greetings!

I am trying to create and issue an certificate for my Cisco C9300s. When we access our secure webserver for the switch it says it is not secure. We connect with https://ipaddress. I am using this How To to get it to work. Issue is when I import the Web Server certificate from my CA for the switch and go to the webpage it still say the connection is insecure and the certificate isn't valid event though the Cert came from the CA. 

ON the CN for the subject-name I can set the hostname or the IP. For the SAN I can't set the IP. I can only set a name. 

I set the CN as the IP and that still doesn't say it is secure. What am I missing?

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-20-2023 12:44 PM

You can use wild card certificate, and make DNS Enry for that switch. Make sure your browser also have same certificate installed.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

IES Sys Admin
Level 1
Level 1
In response to balaji.bandi

‎02-20-2023 12:46 PM

Can you give me directions on doing that?

0 Helpful

IES Sys Admin
Level 1
Level 1

‎03-10-2023 06:21 AM

I am going to lay out we do not use OpenSSL as we are not allowed to. WE have to use our on network CA. For the CN I have set the CN to the IP address of the certificate. For the SAN Cisco has a separate commands that says ip-address which adds the address and there I have a different command called subject-name-alternative of which I can't add an IP address to that command as it is not allowed. So what I find I can do the following:

CN can be the following:

  • IP address
  • Hostname
  • FQDN

SAN (Subject-Name-Alternative can be the following:

  • Hostname
  • FQDN

IP address can be added or not

Tried a mixture of all those things and it is still telling me the certificate is invalid on EDGE with the error: NET::ERR_CERT_COMMON_NAME_INVALID. If you look at the certificate from Edge it shows the same certificate if I open it on its own with the same fingerprints.

So what should the CN be when accessing it from the IP address using Edge?

0 Helpful

IES Sys Admin
Level 1
Level 1

‎03-10-2023 06:39 AM - edited ‎03-10-2023 06:50 AM

Also when doing the following to make the CSR I add the IP Address line. But when I look at the certificate it doesn't look like the IP address is added to the SAN. In fact the certificate does not have a SAN at all. It looks like something is getting lost in translation.

crypto pki trustpoint my-trustpoint
enrollment terminal pem 
subject-name C=US, ST=Pennsylvania, L=My-Town, O=My-Org, OU=My-Department, CN=My-Switch.my-network.com
subject-alt-name my-switch.my-network.com
serial-number none
ip-address 192.168.1.51
revocation-check none
rsakeypair my-4096rsa-key
end

Any idea why it isn't including the IP address into the SAN?

0 Helpful
Customers Also Viewed These Support Documents