Versions Compared

Version Old Version 10 New Version Current
Changes made by

Panna .

Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Generate another self-signed certificate with the correct hostname and save it to the certificate store of your browser.

  • Request a CA-signed certificate with the correct hostname and load it on the NIOS appliance. For more information, see Generating Certificate Signing Requests below.

  • When you receive the certificate from the CA, upload it to the appliance. Additionally, you can upload a certificate along with the private key, as described in Uploading HTTPS Certificates below.

  • Download the certificate from a trusted CA, as described in Downloading Certificates.

Anchor
GS-SCert
GS-SCert
Generating Self-Signed Certificates

You can replace the default certificate with a self-signed certificate that you generate. When you generate a
self-signed certificate, you can specify the correct hostname and change the public/private key size, enter valid dates and specify additional information specific to the NIOS appliance. If you have multiple appliances, you can generate a certificate for each appliance with the appropriate hostname. You can generate a self-signed certificate using the SHA-256 (SHA-2) hash algorithm. 

...

  1. Grid: From the Grid tab, select the Grid Manager tab -> Members tab -> member checkbox, and then click Certificates -> HTTPS Cert -> Create Signing Request from the Toolbar.

  2. In the Create Certificate Signing Request dialog box, enter the following:

    • Secure Hash Algorithm and KeySize: You can select one of the following: SHA-256 (SHA-2) with a RSA key size of 2048 or 4096, SHA-384 with a RSA key size of 2048 or 4096, SHA-512 with a RSA key size of 2048 or 4096. The default value is SHA-256 2048.

    • Common Name: Specify the domain name of the NIOS appliance. You can enter the FQDN of the appliance.

    • Organization: Enter the name of your company.

    • Organizational Unit: Enter the name of your department.

    • Locality: Enter a location, such as a city or town of your company.

    • State or Province: Enter the state or province.

    • Country Code: Enter the two-letter code that identifies the country, such as US.

    • Admin E-mail Address: Enter the email address of the appliance administrator.

    • Comment: Enter information about the certificate.

    • Subject Alternative Name: You can specify Subject Alternative Names (SAN) in order to secure additional hostnames across different domains or subdomains. You can add the following entries to be included as SAN extension to CSR (Certificate Signing Requests): DNS, Email, IP Address, and URI. Click the Add icon and Grid Manager adds a row to the table. Click the row and select the entry from the drop-down list, and then enter the value for the SAN entry. You can add up to 30 entries. To remove an entry from the list, select the SAN entry, and then click the Delete icon.

  3. Click OK.

Anchor
UHTTPSCert
UHTTPSCert
Uploading HTTPS Certificates

When you receive the certificate from the CA, and import it to the appliance, the NIOS appliance finds the matching CSR and takes the private key associated with the CSR and associates it with the newly imported certificate. The appliance then automatically deletes the CSR. 

...

If the CA sends an intermediate certificate that must be installed along with the server certificate, you can upload both certificates to the appliance. The appliance supports the use of intermediate certificates to complete the chain of trust from the server certificate to a trusted root CA. This eliminates intermediate certificate security warnings that appear when you open a web browser and try to connect to an Infoblox appliance. For instructions to upload Upload a CA certificate, see below.
To import a HTTPS certificate:

...

  The appliance imports the certificate and logs you out. When you log in to the appliance again, it uses the certificate you imported.

Anchor
DownHTTPscert
DownHTTPscert
Downloading HTTPS Certificates

You can download the current certificate or a self-signed certificate, as described in Generating a Client Certificate below.

To download a certificate:

...

You can generate client certificates for a Grid Master or a Grid Master candidate, and then send it to another server, such as a Hardware Security Module (HSM).

Anchor
GenCLClert
GenCLClert
Generating a Client Certificate

To generate a client certificate:

...

If the CA sends an intermediate certificate that must be installed along with the server certificate, you can upload both certificates to the appliance. The appliance supports the use of intermediate certificates to complete the chain of trust from the server certificate to a trusted root CA. This eliminates intermediate certificate security warnings that appear when you open a web browser and try to connect to an Infoblox appliance.
When you configure two-factor authentication for smart card users, ensure that you upload the required CA certificates before you enable the certificate authentication service. For information about two factor authentication and how to configure it, see Defining the Authentication Policy. Only superusers and limited-access users with the required permissions can manage CA certificates. For information about admin permissions, see Administrative Permissions for Certificate Authentication Services and CA Certificates.

Also, see About CA Certificates for CISCO APIC below.

Anchor
UpCACert
UpCACert
Uploading CA Certificates

To upload a CA-signed certificate:

...

NIOS can only upload certificates that are in PEM format. A.PEM file can contain more than one certificate. For information about how to convert CA certificates to .PEM format, see Converting see Converting CA   Certificates   to   PEM belowFormat.

Repeat the steps to add additional CA-signed certificates.

...

  • Mark the basicConstraints extension of CA certificates as critical.

  • CA certificates must explicitly include the keyUsage extension.

  • If you specify a pathlenConstraint value, you must allow the keyCertSign key usage.

  • Do not specify the pathlenConstraint value for non-CA certificates.

  • Do not leave the issuer name of any certificate blank.

  • Do not leave the subject name of CA certificates, certificates with keyUsage crlSign, and certificates without subjectAlternativeName blank.

  • If you specify a subjectAlternativeName extension, it must not be empty.

  • The signatureAlgorithm field and the certificate signature must be consistent.

  • Do not mark critical any given authorityKeyIdentifier and any given subjectKeyIdentifier.

  • Specify the authorityKeyIdentifier for X.509v3 certificates unless they are self-signed.

  • Specify the subjectKeyIdentifier for all X.509v3 CA certificates.

Anchor
AboutCAcertCisco
AboutCAcertCisco
About CA Certificates for Cisco ACI

Grid Manager accepts CA certificates and certificate chains, therefore you can upload both root and intermediate (one-file certificate chain) certificates. Following are recommendations and best practices for having valid Cisco ACI certificates authenticated via Grid Manager.

...

  • Make sure that the CA marker is set to "True" in the CA certificate. You can check it in OpenSSL.

  • Make sure that the Subject (CN) of the APIC Key Ring certificate is a fully qualified domain name or a distinguished name of the requesting device.
    When NIOS tries to establish a connection to the APIC using SSL, it compares the APIC hostname value with the value specified in the APIC Key Ring certificate CN (common name). If they do not match, the certificate verification fails. If you want to specify something different than FQDN, for example, an IP address, for the APIC Key Ring certificate CN, include an additional Subject Alternative Name marker in X509v3 extensions:

    X509v3 Subject Alternative Name: 
    IP Address:[ip-addr]
    or
    X509v3 Subject Alternative Name: 
    DNS:FQDN
    or both of them
    X509v3 Subject Alternative Name: 
    DNS:FQDN, IP Address:ip-addr
    where ip-addr is a valid IP address of the APIC device, and FQDN is a valid fully qualified domain name.

  • Make sure to include the following markers in the APIC Key Ring certificate:

    X509v3 extensions:
    X509v3 Basic Constraints: 
    CA:FALSE
    Netscape Cert Type: 
    SSL Server
    ...
    X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: 
    TLS Web Server Authentication

  • Certificate date must be valid.

  • The time settings in Cisco ACI and NIOS must be valid and accurate.

Anchor
ConCACertPEM
ConCACertPEM
Converting CA Certificates to PEM Format

NIOS can only upload certificates that are in PEM format. PEM files are Base64 encoded ASCII files. You can use OpenSSL to convert other certificate formats, such as P7B and DER, into PEM format.
You can run OpenSSL on Linux and Windows systems. For Linux, OpenSSL is pre-installed. For Windows, you can manually install an OpenSSL for Windows. For information about OpenSSL, visit its web site at http://www.openssl.org/.
To convert a P7B file to PEM format using OpenSSL:

...