Overview
This article provides an example of how to configure a custom certificate for HTTPS access when using Cisco ACI.
This chapter contains the following sections:
This article provides an example of how to configure a custom certificate for HTTPS access when using Cisco ACI.
Wildcard certificates (such as *.cisco.com, which is used across multiple devices) and its associated private key generated elsewhere are not supported on the APIC as there is no support to input the private key or password in the APIC. Also, exporting private keys for any certificates, including wildcard certificates, is not supported.
You must download and install the public intermediate and root CA certificates before generating a Certificate Signing Request (CSR). Although a root CA Certificate is not technically required to generate a CSR, Cisco requires the root CA certificate before generating the CSR to prevent mismatches between the intended CA authority and the actual one used to sign the CSR. The APIC verifies that the certificate submitted is signed by the configured CA.
To use the same public and private keys for a renewed certificate generation, you must satisfy the following guidelines:
You must preserve the originating CSR as it contains the public key that pairs with the private key in the key ring.
The same CSR used for the originating certificate must be resubmitted for the renewed certificate if you want to re-use the public and private keys on the APIC.
Do not delete the original key ring when using the same public and private keys for the renewed certificate. Deleting the key ring will automatically delete the associated private key used with CSRs.
Multisite, VCPlugin, VRA and SCVMM are not supported for Certificate Based Authentication.
Only one SSL certificate is allowed per Cisco APIC cluster.
Certificate based authentication must be disabled before downgrading from any releases to release 4.0(1).
To terminate certificate based authentication session the user must log out and then remove CAC card.
CAUTION: PERFORM THIS TASK ONLY DURING A MAINTENANCE WINDOW AS THERE IS A POTENTIAL FOR DOWNTIME. The downtime affects access to the APIC cluster and switches from external users or systems and not the APIC to switch connectivity. The NGINX process on the switches will also be impacted but that will be only for external connectivity and not for the fabric data plane. Access to the APIC, configuration, management, troubleshooting and such will be impacted. Expect a restart of all web servers in the fabric during this operation.
Determine from which authority you will obtain the trusted certification so that you can create the appropriate Certificate Authority.
Step 1 |
On the menu bar, choose . |
||
Step 2 |
In the Navigation pane, choose Security. |
||
Step 3 |
In the Work pane, choose . |
||
Step 4 |
In the Create Certificate Authority dialog box, in the Name field, enter a name for the certificate authority. |
||
Step 5 |
In the Certificate Chain field, copy the intermediate and root certificates for the certificate authority that will sign the Certificate Signing Request (CSR) for the Application Policy Infrastructure Controller (APIC).
|
||
Step 6 |
Click Submit. |
||
Step 7 |
In the Navigation pane, choose . |
||
Step 8 |
In the Work pane, choose . |
||
Step 9 |
In the Create Key Ring dialog box, in the Name field, enter a name. |
||
Step 10 |
In the Certificate field, do not add any content. |
||
Step 11 |
In the Modulus field, click the radio button for the desired key strength. |
||
Step 12 |
In the Certificate Authority field, from the drop-down list, choose the certificate authority that you created earlier. Click Submit.
|
||
Step 13 |
In the Navigation pane, choose . |
||
Step 14 |
In the Work pane, choose . |
||
Step 15 |
In the Subject field, enter the fully qualified domain name (FQDN) of the APIC. |
||
Step 16 |
Fill in the remaining fields as appropriate.
|
||
Step 17 |
Click Submit. |
||
Step 18 |
In the Navigation pane, choose . |
||
Step 19 |
In the Work pane, in the Certificate field, paste the signed certificate that you received from the certificate authority. |
||
Step 20 |
Click Submit.
|
||
Step 21 |
On the menu bar, choose . |
||
Step 22 |
In the Navigation pane, choose . |
||
Step 23 |
In the Work pane, in the Admin Key Ring drop-down list, choose the desired key ring. |
||
Step 24 |
(Optional) For Certificate based authentication, in the Client Certificate TP drop-down list, choose the previously created Local User policy and click Enabled for Client Certificate Authentication state. |
||
Step 25 |
Click Submit. |
You must remain aware of the expiration date of the certificate and take action before it expires. To preserve the same key pair for the renewed certificate, you must preserve the CSR as it contains the public key that pairs with the private key in the key ring. Before the certificate expires, the same CSR must be resubmitted. Do not delete or create a new key ring as deleting the key ring will delete the private key stored internally on the APIC.
To enable Certificate Based authentication: Example:
|