Document toolboxDocument toolbox

About CA Certificates

Owned by Shwetha S
Sept 27, 2023
4 min read

This section covers the following:

If the CA sends an intermediate certificate that must be installed along with the server certificate, you can upload both certificates to the appliance. The appliance supports the use of intermediate certificates to complete the chain of trust from the server certificate to a trusted root CA. This eliminates intermediate certificate security warnings that appear when you open a web browser and try to connect to an Infoblox appliance.
When you configure two-factor authentication for smart card users, ensure that you upload the required CA certificates before you enable the certificate authentication service. For information about two factor authentication and how to configure it, see Defining the Authentication Policy. Only superusers and limited-access users with the required permissions can manage CA certificates. For information about admin permissions, see Administrative Permissions for Certificate Authentication Services and CA Certificates.

Also, see About CA Certificates for CISCO APIC below.

Uploading CA Certificates

To upload a CA-signed certificate:

  1. Grid: From the Grid tab, select the Grid Manager tab.
    Member: From the Grid tab, select the Grid Manager tab -> Members tab -> member checkbox.

  2. Select Certificates -> Manage CA Certificates from the Toolbar.

  3. In the CA Certificates editor, click the Add icon.

  4. In the Upload dialog box, click Select and navigate to the certificate you want to upload.

  5. Select the file and click Upload.

Note

NIOS can only upload certificates that are in PEM format. A.PEM file can contain more than one certificate. For information about how to convert CA certificates to .PEM format, see Converting CA Certificates to PEM below.

Repeat the steps to add additional CA-signed certificates.

The CA Certificates dialog box displays the following information about the intermediate certificates:

  • Subject: The name of the certificate.

  • Issuer: The name of the trusted CA that issued the certificate.

  • Serial: The serial number of the certificate.

  • Valid: The validity period of the certificate.

  • Usedby: Displays SSL/TLS, when CA certificate is not used for certificate authentication, or CAS, when CA certificate is associated with a certificate authentication service.

You can also do the following:

  • Select a certificate and click the Delete icon to delete it.

  • Print the data or export it in .csv format.

About CA Certificates for Cisco ACI

Grid Manager accepts CA certificates and certificate chains, therefore you can upload both root and intermediate (one-file certificate chain) certificates. Following are recommendations and best practices for having valid Cisco ACI certificates authenticated via Grid Manager.

For a Root CA certificate, complete the following on the Cisco ACI side:

  1. Select the Root CA certificate as the default Certificate Authority.

  2. Issue a Key Ring certificate request signed by this Certificate Authority. Make sure that the APIC Key Ring certificate is created.

  3. In the Cisco ACI GUI, select Fabric -> Fabric Policies -> Pod Policies -> Policies -> Management Access -> default.

  4. Make sure that the Admin Key Ring and Oper Key Ring correspond to the one created in step 2.
    Now you can upload and select the Root CA certificate in Grid Manager.

For an Intermediate CA certificate, complete the following on the Cisco ACI side:

Select the certificate chain as the default Certificate Authority. This certificate chain must include at least one Intermediate and Root CA certificate.

  1. Issue a Key Ring certificate request signed by this Certificate Authority. Make sure that the APIC Key Ring certificate is created.

  2. In the Cisco ACI GUI, select Fabric -> Fabric Policies -> Pod Policies -> Policies -> Management Access -> default.

  3. Make sure that the Admin Key Ring and Oper Key Ring correspond to the one created in step 2.
    Now you can upload and select the certificate chain in Grid Manager. If you are unable to select the whole chain in the CISCO APIC Configuration tab, choose the Intermediate certificate.

Recommended best practices:

  • Make sure that the CA marker is set to "True" in the CA certificate. You can check it in OpenSSL.

  • Make sure that the Subject (CN) of the APIC Key Ring certificate is a fully qualified domain name or a distinguished name of the requesting device.
    When NIOS tries to establish a connection to the APIC using SSL, it compares the APIC hostname value with the value specified in the APIC Key Ring certificate CN (common name). If they do not match, the certificate verification fails. If you want to specify something different than FQDN, for example, an IP address, for the APIC Key Ring certificate CN, include an additional Subject Alternative Name marker in X509v3 extensions:

    X509v3 Subject Alternative Name: 
    IP Address:[ip-addr]
    or
    X509v3 Subject Alternative Name: 
    DNS:FQDN
    or both of them
    X509v3 Subject Alternative Name: 
    DNS:FQDN, IP Address:ip-addr
    where ip-addr is a valid IP address of the APIC device, and FQDN is a valid fully qualified domain name.

  • Make sure to include the following markers in the APIC Key Ring certificate:

    X509v3 extensions:
    X509v3 Basic Constraints: 
    CA:FALSE
    Netscape Cert Type: 
    SSL Server
    ...
    X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: 
    TLS Web Server Authentication

  • Certificate date must be valid.

  • The time settings in Cisco ACI and NIOS must be valid and accurate.

Converting CA Certificates to PEM Format

NIOS can only upload certificates that are in PEM format. PEM files are Base64 encoded ASCII files. You can use OpenSSL to convert other certificate formats, such as P7B and DER, into PEM format.
You can run OpenSSL on Linux and Windows systems. For Linux, OpenSSL is pre-installed. For Windows, you can manually install an OpenSSL for Windows. For information about OpenSSL, visit its web site at http://www.openssl.org/ .
To convert a P7B file to PEM format using OpenSSL:

  1. Download and unzip the CA certificate file in P7B format.

  2. Navigate to the directory where you unzip the CA certificate file.

  3. Identify the PKCS7 directory.

  4. Use the following OpenSSL command to convert the P7B file to PEM format:
    $ openssl pkcs7 -in xxxx.p7b -print_certs -out yyyy.pem
    where xxxx is the name of the P7B file and yyyy is the name of the converted PEM file.

To convert a DER file to PEM format using OpenSSL:

  1. Download and unzip the CA certificate file in DER format.

  2. Navigate to the directory where you unzip the CA certificate file.

  3. Use the following OpenSSL command to convert the DER file to PEM format:
    $ openssl x509 -inform DER -outform PEM -in xxxx.cer -out yyyy.pem
    where xxxx is the name of the DER file and yyyy is the name of the converted PEM file.  

 

Â