Document toolboxDocument toolbox

About CA Certificates for Cisco APIC

Owned by Viktoryia Varapayeva (Deactivated)
Last updated: Aug 25, 2022
2 min read

NetMRI accepts CA certificates and certificate chains. Therefore, you can upload both root and intermediate (one-file certificate chain) certificates. Next, are recommendations and best practices for having valid APIC certificates authenticated via HTTPS in NetMRI.

For a Root CA certificate, ensure the following on the APIC side:

  1. You have selected the Root CA certificate as the default Certificate Authority.
  2. You have issued a Key Ring certificate request signed by this Certificate Authority.
  3. The APIC Key Ring certificate has been created.
  4. In the APIC GUI, select Fabric > Fabric Policies > Pod Policies > Policies > Management Access > default.
  5. Make sure that the Admin Key Ring and Oper Key Ring correspond to the one created in step 3. Now you can upload the Root CA certificate in the NetMRI security settings.

For an Intermediate CA certificate, ensure the following on the APIC side:

  1. You have selected the certificate chain as the default Certificate Authority. This certificate chain must include at least one Intermediate or Root CA certificate.
  2. You have issued a Key Ring certificate request signed by this Certificate Authority.
  3. The APIC Key Ring certificate has been created.
  4. In the APIC GUI, select Fabric > Fabric Policies > Pod Policies > Policies > Management Access > default.
  5. Make sure that the Admin Key Ring and Oper Key Ring correspond to the one created in step 3. Now you can upload the certificate chain in the NetMRI security settings.

Recommended best practices:

  • Make sure that the CA marker is set to "True" in the CA certificate. You can check it in OpenSSL.
  • Make sure that the Subject (CN) of the APIC Key Ring certificate is a fully qualified domain name or a distinguished name of the requesting device.
    When NetMRI tries to establish a connection to the APIC using SSL, it compares the APIC hostname value with the value specified in the APIC Key Ring certificate CN (common name). If they do not match, the certificate verification fails. If you want to specify something different than FQDN, for example, an IP address, for the APIC Key Ring certificate CN, include an additional Subject Alternative Name marker in X509v3 extensions:

    X509v3 Subject Alternative Name: 
    IP Address:[ip-addr]
    or
    X509v3 Subject Alternative Name: 
    DNS:FQDN
    or both of them
    X509v3 Subject Alternative Name: 
    DNS:FQDN, IP Address:ip-addr
    where ip-addr is a valid IP address of the APIC device, and FQDN is a valid fully qualified domain name.

  • Make sure to include the following markers in the APIC Key Ring certificate:

    X509v3 extensions:
    X509v3 Basic Constraints: 
    CA:FALSE
    Netscape Cert Type: 
    SSL Server
    ...
    X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: 
    TLS Web Server Authentication

  • Certificate date must be valid.
  • APIC and NetMRI time settings must be valid and accurate.