Simplifying the Process of Generating CSR and Certificate Chain for DNAC

Simplifying the Process of Generating CSR and Certificate Chain for DNAC

Cisco Catalyst Center(DNAC) is a complete management and control platform for your network, designed, created, and implemented by Cisco. 

This single, extensible software platform includes integrated tools for network management, automation, virtualization, analytics and assurance, security, and Internet of Things (IoT) connectivity and can also interface with your business-critical tools.

Cisco Catalyst Center (DNAC)
Fig 1.1-Cisco Catalyst Center (DNAC)

Let's start with the CSR generation on Cisco Catalyst Center(DNAC)

⭐Step 1: Create a CSR on the Cisco Catalyst Center(DNAC). First, establish a CLI session to the Cisco Catalyst Center(DNAC) and create a file named ssl-san.conf in your preferred text editor.  This file comes with a fill-in template. 

The Cisco Catalyst Center(DNAC) mandates that each of the IP addresses be listed in the certificate's alt_names section.  You can add DNS names if you like, but they cannot be used in place of IP addresses.


⭐Step 2: Next, generate an RSA key using the following command (The expected output of this command is key.pem)

 openssl genrsa -out key.pem 2048 

Step 3:Next, use the following to generate the CSR (The expected output from this command is the csr.pem file in the PKCS#10 format.

openssl req -new -key key.pem -out csr.pem -nodes -sha256 -reqexts v3_req -config ssl-san.conf

Step 4: Next, verify that the CSR is generated and SAN field is filled out correctly(The expected output is a ASCII formatted CSR. Use this to verify the information in the CSR.

 openssl req -text -verify -noout -in csr.pem

Step 5: Now, encrypt the key generated in the second step

 openssl pkcs8 -v1 PBE-SHA1-3DES -topk8 -in key.pem -out encrypted_key.pem 

This command will prompt you for a password.  Please do not forget the password as it is used later.  The expected output for this command is the encrypted_key.pem

Note : At this point you should move the csr.pem onto the CA via your file transfer protocol of choice  (ftp, sftp,  tftp, xmodem, usenet, rlogin, edonkey, arcane stone columns arranged on a beach in the Maldives, etc.)

Step 6: Login to your Windows Server 2016 box and open navigate to localhost

Step 7: Click on Request a certificate, On the next page select advanced certificate request.

Step 8: Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Step 9: Verify that under the Certificate Template dropdown Web Server is selected.  Paste the CSR text into the Saved Request textbox.  Then Click Submit.

Step 10: On the next page select the Base 64 encoded radio button and then download the certificate chain.  You will receive a file called certnew.p7b.

Step 11: Once you have the file downloaded use openssl to convert the PKCS#7 file to a PEM file. The expected output of this command is the chain new file.  This command will work on Windows or *NIX systems that have the OpenSSL suite installed.

openssl pkcs7 -print_certs -in certnew.p7b -out chainnew

Step 12: On Cisco Catalyst Center(DNAC) navigate to System Settings > Settings > Certificate. Click Replace Certificate.

DNAC Certificate

Step 13: Place the chain new file in the Drag n’ Drop box under Certificate. Place the encrypted_key.pem file in the Drag n’ Drop box under Private Key. Enter the passphrase you assigned previously. Click the Upload/Activate button and you be redirected back to the original Certificate page with the new certificate chain information. 

Provide a PEM certificate, private key, passphrase

Step 14: The Cisco Catalyst Center(DNAC) has now been successfully updated with the new certificate. The following figure is taken from Organization's Cisco Catalyst Center(DNAC) certificate.


Continue Reading...

More on Cisco Catalyst Center...