cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
325
Views
1
Helpful
5
Replies

Syslog configuration certificate issues

yato231
Level 1
Level 1

Hello everyone,

I am trying to configure a nexus (nx os 9.3) to send its logs to syslog server over tls.

logging server 10.10.10.1 5 port 6514 secure use-vrf management

 When I try to configure the trustpoint I get the error "certificate is missing basic constraints extension , could not perform CA authentication".

crypto ca authenticate my-ca

I am pasting the root, intermediate and server certificates (pem) after this command. I have checked use openssl that the root and intermediate certs do have the basic constraints extension, and CA=true.

Also if I only paste the root and intermediate certificate then I don't have this error. This leads me to think that in the trustpoint I can only have CA certs, not the server certs. Is this true? and in that case where should I import the server cert? should it work without the server cert? Previous I worked on firewalls and there we had to import the whole chain from the server, intermediate and root.

Thanks in advance.

1 Accepted Solution

Accepted Solutions

yes if the router acting as CA and syslog trust that certs

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Syslog server and nexus device should trust same CA for them to communicate.

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.17/administration-guide/55

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the link. So if I understand correctly, we don't need to add the certificate of the syslog server. It should work if the CA certificate installed on the nexus device refers to the CA originally used to create the syslog server certificate.

yes if the router acting as CA and syslog trust that certs

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Show crypto ca trustpoint 

Share this 

MHM

yato231
Level 1
Level 1
#show crypto ca trustpoint
trustpoint: root-ca key-pair:
revokation methods: none