View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

RS0116 - SDA Certificate Install

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: RS0116 - Video Download $11.00
Purchase RS0116 - Video Download $11.00
The video shows you a certificate install of DNAC. We will review the recommended certificate format for both DNAC identity cert as well as subordinate certificate used to issue device certificate to ensure proper operation.
 
Topic:
  • DNAC Certificate
  • Subordinate Certificate
  • Device Certificate

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

8 comments

Hi,

I've tried this several times and with several different methods and I can't get it to work. The certificate I have now is valid and I do have a green lock in my browser and all certificates in the chain is valid, but on DNA Center > Settings > Certificate the Authority for the cert still say Self-signed.

I've tried it just as shown in this video with an external OpenSSL. I've also try both the Openssl method and the API method described by Cisco here: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-a...

Nothing works.

NOTE: The default Subordinate Certification Authority template Cisco wants you to use does not work. It won't import the certificate because of missing keyEncipherment so I did create my own template with keyEncipherment and both serverAuth and clientAuth.

What version of DNAC are you running. Have you opened a case with Cisco to see if this is a bug?

I actually got this to work. I had to import the Root CA certificate into the DNA Trustpool manually. I noticed that it didn't do this during the process automatically so after I did that it shows up correctly. This happened with all the methods I tried.

Hello Metha. Thank you for this video !
Could you share the .cnf file please ?
I am facing issues with my file and I would like to compare.

Thank you,
Alex

I see this post was from a while back.
But there is an official doc on how to generate the certs available now.
https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-a...

Thank you for sharing.

Does the template extensions have Server authentication and client authentication? right ?

Correct. If you use ISE to issue cert, it should already be included in the pxGrid template.