End entity certificates chained to an intermediate certificate represent the highest possible security solution for Certification Authorities and therefore their customers. There exists a very small possibility, consistent amongst all certification authorities, that the certificate used to sign end entity certificates could be compromised. The signing process itself mandates that the signing certificate must be accessible in order to perform the signing operation. In the case of an intermediate certificate, the corresponding root certificate is secured/locked away, eliminating the possibility of it being compromised by daily signing processes. End entity certificates directly signed by root certificates (i.e. no intermediate protection) provide no recourse should the root certificate itself become compromised. If an Intermediate were to be compromised then new intermediates could be created and new end entity certificates could be issued.
Once a root itself is compromised there is no solution or replacement strategy. It is therefore considered industry best practice to use intermediate certificates.
Courtesy : WhichSSL
Now coming to ACE , we need to configure the certificate chain group , to allocate all the root certificates , if we miss one of the root certificate in the chain group , end user will be getting the certificate warning.
So it is complusory we shold configure the chaingroup will all the root certificate assosicated with the Intermediate certificate.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...