Cisco Crosswork Network Controller 7.2 Administration Guide

PDF

Add a new certificate

Want to summarize with AI?

Log in

Add a certificate to Crosswork Network Controller to secure communication for supported roles such as external destinations, syslog, gNMI or gRPC, and secure LDAP.


This section explains the steps to add a new certificate. You can add certificates for these roles:

  • External destination: Certificates uploaded for this role are used to secure communication between Crosswork Data Gateway and external destinations like Kafka servers. To enable mutual authentication, you upload a CA Certificate Trustchain that will be common to both Crosswork Data Gateway and the external server. This trust chain contains a root CA certificate and optional intermediate CA certificates. The last intermediate certificate in the chain and its corresponding private key are uploaded separately in the UI using Intermediate key , Intermediate certificate , and optionally Passphrase (if one was used for generating the intermediate key). Crosswork Network Controller internally creates a client certificate using this intermediate key for Crosswork Data Gateways that connect to the external destination. The destination server certificate trust, such as Kafka, must be derived from the same root CA certificate.

    You can upload certificates to the External Destination role, the authentication type must be opted as Mutual-Auth on the Add Destination page. For more information about the authentication types, see Add or edit a data destination.

  • Server Syslog Communication: You upload the trust chain of the Syslog server certificate. This trust chain is used by Crosswork Network Controller to authenticate the Syslog server. After this trust chain is uploaded and propagated within Crosswork Network Controller, you can add the syslog server ( Administration > Settings > Syslog Server Configuration ) and associate the certificate to enable TLS. For more information, see Configure a Syslog Server.

  • Device gNMI/gRPC communication: You upload a bundle of trust chains used by Crosswork Data Gateway to authenticate the devices connecting to it. This trust chain and the device gNMI certificate must also be configured on the device. The trust chain file that is uploaded can contain multiple hierarchies of trust certificates as needed to allow all the devices in the network to connect. For more information, see Add the gNMI certificate.

  • Secure LDAP communication: You upload the trust chain of the secure LDAP certificate. This trust chain is used by Crosswork to authenticate the secure LDAP server. Once this trust chain is uploaded and propagated within Crosswork Network Controller, you can add the LDAP server and associate the certificate.

  • External destination server auth:

    • Upload the root CA certificate to establish secure communication between the Crosswork Data Gateway and external destinations, such as Kafka servers.

    • You can upload certificates to the External Destination Server Auth role only when the authentication type is set to Server-Auth.

    • You can upload certificates for the Crosswork Data Gateway, applications, or both using the same role by selecting the appropriate data destination type.

    • The Data source field in the data destination form indicates whether the destination applies to the Crosswork Data Gateway, applications, or both.

  • Provider gRPC communication: You upload a well-known CA certificate trust chain bundle for secure communication between Crosswork Network Controller and gRPC server configured on an external SR-PCE provider. Mutual authentication is currently not supported.

Note

Crosswork Network Controller does not receive a web certificate directly. It accepts an intermediate CA and intermediate Key to create a new web certificate, and apply it to the Web Gateway.

If you prefer to upload your own ZTP and web certificates (instead of using the default certificates provided within Crosswork Network Controller), use the Edit function (see Edit certificates ).

Before you begin

  • Upload all certificates in Privacy Enhanced Mail (PEM) format. Also, note the location of the certificates on the system for easy navigation.

  • Uploaded Trust chain files may contain the entire hierarchy (root CA and intermediate certificates) in the same file. In some cases, multiple chains are also allowed in the same file.

  • Ensure the intermediate keys are either in PKCS1 or PKCS8 format.

  • Configure a data destination before you add a new certificate for an external destination. For more information, see Add or edit a data destination.

  • Ensure there are no collection jobs configured for destinations when adding or updating a certificate with multiple destinations.

  • Ensure that the tyk service is in a healthy state.

Procedure

1.

From the main menu, choose Administration > Certificate Management and click Add icon.

2.

Enter a unique name for the certificate.

3.

From the Certificate Role drop-down, select the purpose for which the certificate is to be used. For more information, see Usage of certificate types.

Note

You can select available destinations (Kafka/gRPC) while adding or updating an External Destination certificate.

4.

Click Browse , and navigate to the certificate trustchain.

5.

In the case of an External Destination certificate, you must select one or more destinations and provide the CA certificate trustchain, intermediate certificate, and intermediate key. The passphrase field is optional and is used to create the intermediate key (if applicable).

6.

Click Save.

Note

After you upload the certificate, the Crosswork Cert manager accepts it, validates it, and generates the server certificate. Upon successful validation, an alarm ("Crosswork Web Server Restart") indicates that the certificate is about to be applied. The Certificate Management UI then logs out automatically and applies the certificate to the Web Gateway. The new certificate can be checked by clicking the lock <Not Secure>/<secure> icon next to the https://<crosswork_ip>:30603.