Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
1
Helpful
5
Replies

Syslog configuration certificate issues

Go to solution
yato231
Level 1
Level 1

‎06-07-2024 03:08 AM

Hello everyone,

I am trying to configure a nexus (nx os 9.3) to send its logs to syslog server over tls.

logging server 10.10.10.1 5 port 6514 secure use-vrf management

 When I try to configure the trustpoint I get the error "certificate is missing basic constraints extension , could not perform CA authentication".

crypto ca authenticate my-ca

I am pasting the root, intermediate and server certificates (pem) after this command. I have checked use openssl that the root and intermediate certs do have the basic constraints extension, and CA=true.

Also if I only paste the root and intermediate certificate then I don't have this error. This leads me to think that in the trustpoint I can only have CA certs, not the server certs. Is this true? and in that case where should I import the server cert? should it work without the server cert? Previous I worked on firewalls and there we had to import the whole chain from the server, intermediate and root.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to yato231

‎06-10-2024 10:36 PM

yes if the router acting as CA and syslog trust that certs

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-07-2024 09:06 AM

Syslog server and nexus device should trust same CA for them to communicate.

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.17/administration-guide/55

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
yato231
Level 1
Level 1
In response to balaji.bandi

‎06-10-2024 03:40 AM

Thanks for the link. So if I understand correctly, we don't need to add the certificate of the syslog server. It should work if the CA certificate installed on the nexus device refers to the CA originally used to create the syslog server certificate.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to yato231

‎06-10-2024 10:36 PM

yes if the router acting as CA and syslog trust that certs

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-07-2024 09:20 AM

Show crypto ca trustpoint 

Share this 

MHM

0 Helpful

Go to solution
yato231
Level 1
Level 1

‎06-09-2024 11:52 PM 

#show crypto ca trustpoint
trustpoint: root-ca key-pair:
revokation methods: none
0 Helpful
Customers Also Viewed These Support Documents