New and Changed Information

The following table provides an overview of the significant changes up to this current release. The table does not provide an exhaustive list of all changes or of the new features up to this release.

Table 1. New Features and Changed Behavior in Cisco APIC
Cisco APIC Release Version



Release 1.0(1e)


This article was written.


This article provides an example of how to configure a custom certificate for HTTPS access when using Cisco ACI.

Configuring Custom Certificate Guidelines

  • Wildcard certificates (such as *, which is used across multiple devices) and its associated private key generated elsewhere are not supported on the Cisco Application Policy Infrastructure Controller (APIC) as there is no support to input the private key or password in the Cisco APIC. Also, exporting private keys for any certificates, including wildcard certificates, is not supported.

  • You must download and install the public intermediate and root CA certificates before generating a Certificate Signing Request (CSR). Although a root CA Certificate is not technically required to generate a CSR, Cisco requires the root CA certificate before generating the CSR to prevent mismatches between the intended CA authority and the actual one used to sign the CSR. The Cisco APIC verifies that the certificate submitted is signed by the configured CA.

  • To use the same public and private keys for a renewed certificate generation, you must satisfy the following guidelines:

    • You must preserve the originating CSR as it contains the public key that pairs with the private key in the key ring.

    • The same CSR used for the originating certificate must be resubmitted for the renewed certificate if you want to re-use the public and private keys on the Cisco APIC.

    • Do not delete the original key ring when using the same public and private keys for the renewed certificate. Deleting the key ring will automatically delete the associated private key used with CSRs.

  • Cisco ACI Multi-Site, VCPlugin, VRA, and SCVMM are not supported for certificate-based authentication.

  • Only one certificate-based root can be active per pod.

  • You must disable certificate-based authentication before downgrading to release 4.0(1) from any later release.

  • To terminate the certificate-based authentication session, you must log out and then remove the CAC card.

  • The custom certificate configured for the Cisco APIC will be deployed to the leaf and spine switches. If the URL or DN that is used to connect to the fabric node is within the Subject or Subject Alternative Name field, the fabric node will be covered under the certificate.

Configuring a Custom Certificate for Cisco ACI HTTPS Access Using the GUI

CAUTION: PERFORM THIS TASK ONLY DURING A MAINTENANCE WINDOW AS THERE IS A POTENTIAL FOR DOWNTIME. The downtime affects access to the APIC cluster and switches from external users or systems and not the APIC to switch connectivity. The NGINX process on the switches will also be impacted but that will be only for external connectivity and not for the fabric data plane. Access to the APIC, configuration, management, troubleshooting and such will be impacted. Expect a restart of all web servers in the fabric during this operation.

Before you begin

Determine from which authority you will obtain the trusted certification so that you can create the appropriate Certificate Authority.


Step 1

On the menu bar, choose Admin > AAA.

Step 2

In the Navigation pane, choose Security.

Step 3

In the Work pane, choose Public Key Management > Certificate Authorities > Create Certificate Authority.

Step 4

In the Create Certificate Authority dialog box, in the Name field, enter a name for the certificate authority.

Step 5

In the Certificate Chain field, copy the intermediate and root certificates for the certificate authority that will sign the Certificate Signing Request (CSR) for the Application Policy Infrastructure Controller (APIC).

The certificate should be in Base64 encoded X.509 (CER) format. The intermediate certificate is placed before the root CA certificate. It should look similar to the following example:
<Intermediate Certificate>
<Root CA Certificate>
Step 6

Click Submit.

Step 7

In the Navigation pane, choose Public Key Management > Key Rings.

Step 8

In the Work pane, choose Actions > Create Key Ring.

Step 9

In the Create Key Ring dialog box, in the Name field, enter a name.

Step 10

In the Certificate field, do not add any content.

Step 11

In the Modulus field, click the radio button for the desired key strength.

Step 12

In the Certificate Authority field, from the drop-down list, choose the certificate authority that you created earlier. Click Submit.


Do not delete the key ring. Deleting the key ring will automatically delete the associated private key used with CSRs.

In the Work pane, in the Key Rings area, the Admin State for the key ring created displays Started.
Step 13

In the Navigation pane, choose Public Key Management > Key Rings > key_ring_name.

Step 14

In the Work pane, choose Actions > Create Certificate Request.

Step 15

In the Subject field, enter the fully qualified domain name (FQDN) of the APIC.

Step 16

Fill in the remaining fields as appropriate.


Check the online help information available in the Create Certificate Request dialog box for a description of the available parameters.

Step 17

Click Submit.

The object is created and displayed in the Navigation pane under the key ring you created earlier. In the Navigation pane, click the object and in the Work pane, in the Properties area, in the Request field the CSR is displayed. Copy the contents from the field to submit to the Certificate Authority for signing.
Step 18

In the Navigation pane, choose Public Key Management > Key Rings > key_ring_name.

Step 19

In the Work pane, in the Certificate field, paste the signed certificate that you received from the certificate authority.

Step 20

Click Submit.


If the CSR was not signed by the Certificate Authority indicated in the key ring, or if the certificate has MS-DOS line endings, an error message is displayed and the certificate is not accepted. Remove the MS-DOS line endings.

The key is verified, and in the Work pane, the Admin State changes to Completed and is now ready for use in the HTTP policy.
Step 21

On the menu bar, choose Fabric > Fabric Policies.

Step 22

In the Navigation pane, choose Pod Policies > Policies > Management Access > default.

Step 23

In the Work pane, in the Admin Key Ring drop-down list, choose the desired key ring.

Step 24

(Optional) For Certificate based authentication, in the Client Certificate TP drop-down list, choose the previously created Local User policy and click Enabled for Client Certificate Authentication state.

Step 25

Click Submit.

All web servers restart. The certificate is activated, and the non-default key ring is associated with HTTPS access.

What to do next

You must remain aware of the expiration date of the certificate and take action before it expires. To preserve the same key pair for the renewed certificate, you must preserve the CSR as it contains the public key that pairs with the private key in the key ring. Before the certificate expires, the same CSR must be resubmitted. Do not delete or create a new key ring as deleting the key ring will delete the private key stored internally on the APIC.