Cisco Prime Infrastructure and Cisco DNA Center Integration Issues due to TOFU Certificate

Overview

This section describes the Cisco Prime Infrastructure & Cisco DNA Center integration issue that occurs due to Trust-on-first-use (TOFU) certificate mismatch after a new Certificate Signing Request (CSR) is generated from Cisco DNA Center, how to troubleshoot and resolve it.

TOFU certificate received from the Cisco DNA Center is trusted when the connection is made for the first time. If the Cisco DNA Center sends a different certificate for any sub-sequent connection, the connection will be rejected, which causes integration failure between Prime Infrastructure server and Cisco DNA Center.

The certificate on the remote host (Cisco DNA Center) to which Cisco Prime Infrastructure is connected can change if a new certificate is generated or if the server is deployed again on the VM host (Cisco DNA Center).

Configure Certificate Validation

You can configure the certificate validation through command line interface or user interface. The current TOFU certificates on Prime Infrastructure need to be listed, the old certificate entry for the corresponding Cisco DNA Center from the list should be identified and removed before you attempt the integration from Cisco DNA Center again.

View Certificate Validation List using CLI

Use the following command to view the certificate validation list:

ncs certvalidation tofu-certs listcerts

Example:

pi-system-184/admin# ncs certvalidation tofu-certs listcerts
host=xx.xxx.xxx.xxx_443;  subject=CN = kong 
host=yy.yyy.yyy.yyy_443;  subject=CN = kong

Delete Certificate using CLI

Use the following command to delete the certificate:

ncs certvalidation tofu-certs deletecert host <xx.xxx.xxx_443>

Example

pi-system-184/admin# ncs certvalidation tofu-certs deletecert host xx.xxx.xxx.xxx_443

Verify Certificate using CLI

Use the following command to verify the new certificate:

ncs certvalidation tofu-certs listcerts

After old certificate deletion and verification, you can reinitialize Prime Infrastructure and DNA Center data migration to generate new certificate. For more information, see Reinitialize Prime Infrastructure and DNA Center Data Migration.

View Certificate Validation List using User Interface

Use the following procedure to view the certificate validation list:

Procedure

Step 1

In Cisco Prime Infrastructure, choose Administration > Settings > Certificate > X509 Certificate Trust > Pinned TOFU Certificate.

Step 2

Select the Cisco DNA Center Server IP address from the certificate list and verify the Serial Number.

Delete Certificate using User Interface

Use the following procedure to view the certificate validation list:

Procedure

Step 1

In Cisco Prime Infrastructure, choose Administration > Settings > Certificate > X509 Certificate Trust > Pinned TOFU Certificate.

Step 2

Select the Cisco DNA Center Server IP address and click the cross icon to delete the certificate.

Reinitialize Prime Infrastructure and DNA Center Data Migration

Use this procedure to reinitialize Prime Infrastructure and DNA Center data migration to generate new certificate and check for server reachability.

Procedure

Step 1

From 3.10.1, Click Prime Data Migration Tool in the Mega Menu page.

Or

Launch Prime Data Migration Tool from the Getting Started page. Choose Settings > Getting Started > Prime Data Migration Tool, and then click Launch Prime Data Migration Tool to open Prime Infrastructure - Prime Data Migration Tool page.

For 3.9 and 3.10, you can either:

Click Cisco DNA Center coexistence in the Mega Menu page.

or

You can also launch Cisco DNA Center coexistence from the Getting Started page. Choose Settings > Getting Started > Cisco DNA Center coexistence, and then click Launch Cisco DNA Center coexistence to open Prime Infrastructure - Cisco DNA Center Coexistence page.

For 3.8 and below:

Choose Administration > Settings > System Settings > General > Cisco DNA Center coexistence, and then click Launch Cisco DNA Center coexistence to open Prime Infrastructure - Cisco DNA Center coexistence page.

Step 2

Click Add Cisco DNA Center Server.

Step 3

Enter the following Cisco DNA Center server details:

  1. Server IP Address or Hostname

  2. Username

  3. Password

  4. Confirm Password

Step 4

Click Save, to check server reachability.