In some network
configurations, proxy gateways may exist between the
and network devices. Common ports such as 80 and 443 pass through the gateway
proxy in the DMZ, and for this reason SSL sessions from the network devices
meant for the controller terminate at the proxy gateway. Therefore, these
network devices can only communicate with the controller via the proxy gateway.
In order for the network devices to establish secure and trusted connections
with the controller, or if present, a proxy gateway, then the network devices
should have their PKI trust stores appropriately provisioned with the relevant
CA root certificates or the server’s own certificate under certain
Cisco Network Plug and
With the Cisco
Network Plug and Play (PnP) application, the
responds to HTTPS requests from supported Cisco network devices and permits
these devices to download and install an image and desired configuration.
Before a device can download such information from the controller, the initial
interaction between the controller and device involves the establishment of a
interaction with a PnP enabled device, that PnP enabled device is provisioned
by the controller with trust information that includes a CA root certificates
bundle or at the least the certificate of the CA that issued the server side
certificate. Note that in latter case, the CA may or may not be a well known
In certain Cisco
Network Plug and Play scenarios, your network configuration may have a proxy
gateway present between the controller and PnP enabled devices. For instance in
an IWAN deployment a branch router might communicate to the
through a proxy gateway at the DMZ at initial provisioning. Depending on
whether there is a proxy gateway present or not, the trust information provided
by the controller at the initial transaction with the devices may correspond to
the proxy gateway's or to the controller’s certificate issuer (if the
corresponding server certificates are not valid CA signed). On the other hand,
in either proxy or non-proxy cases, if the certificate is a simple self-signed
certificate, then that certificate will be downloaded by the device into its
self-signed certificate for either the
or the proxy gateway is strongly discouraged. We strongly recommend using a
publicly verifiable CA issued certificate to be installed for the controller,
as well as the proxy gateway if one is present.
With a valid CA
issued certificate for the controller or the proxy gateway (if present), the
PnP enabled devices can download the trustpool bundle (ios.p7b) containing all
the well known CA root certificates. This permits the devices to establish
secure connections to the controller or to the proxy gateway for further
provisioning and operation of those devices. If such a certificate is not a
valid CA issued or self-signed, then the devices will have to download the
issuing CA’s or self-signed certificate to proceed further with a secure
connection to the controller or a proxy gateway in front of the controller. The
facilitates automatic downloads of the relevant trusted certificates on the
devices, depending on the nature of the certificate installed on it. However;
when a proxy gateway is present, it provides a provisioning GUI to facilitate
topologies where there is a proxy gateway present between controller and PnP
enabled devices, follow the procedure below to import a proxy gateway
certificate into the controller.
Figure 8. Proxy Gateway
Before You Begin
successfully deployed the
and it is operational.
In your network,
an HTTP proxy gateway exists between the controller and PnP enabled network
devices. The PnP enabled network devices will use the proxy gateway's IP
address to reach the
controller and its services.
You have the
certificate file currently being used by the proxy gateway. The certificate
file contents can consist any of the following:
gateways’s certificate in PEM format, with the certificate being self-signed.
gateway’s certificate in PEM format, with the certificate being issued by a
valid, well-known CA, such as the Comodo Group, Symantec, or DigiCert.
gateway’s certificate and the issuing CA root certificate.
certificate file is structured in the above order as a chain and in PEM format.
This is required if the CA is not a valid, well-known CA. For example, a CA not
present in the Cisco ios.p7b trust pool bundle.
gateways’s certificate and a Sub CA certificate.
certificate file is structured in the above order and as a chain in PEM format.
This is required if the issuing Root CA, Sub CA is a well-known valid CA such
as the Comodo Group, Symantec, or DigiCert.
You must have
administrator permissions to import the certificate as described in this
procedure. For information about the user permissions required to perform tasks
see the chapter,
and Roles in the
Application Policy Infrastructure Controller Enterprise Module Configuration
used by the devices and proxy gateway must be imported into the controller by
following this procedure.