Wanted to know what was the preferred or Cisco accepted way to install / configure multi-tier certificates on the SSL module? When reading the config guide, it discusses in detail how to handle a single tier cert (i.e just a root ca cert), however there is no real example for handling multi-tier certs (i.e. a root ca cert and an intermediate cert)..
As an example, we've always installed a multi tier cert the following way:
! Setup the main trustpoint which contains the subject name
! Setup a trustpoint for the Root certificate crypto pki trustpoint DIRECTORY-Root enrollment terminal pem revocation-check none crl optional ! ! Setup a trustpoint for the Intermediate certificate crypto pki trustpoint DIRECTORY-Intermediate enrollment terminal revocation-check none crl optional !
! Enroll the trustpoint DIRECTORY for the CSR
! Obtain signed cert from CA (Thawte)
! Authenticate DIRECTORY-Intermediate using the intermediate cert
crypto pki authenticate DIRECTORY-Intermediate
<paste intermediate cert>
! Authenticate DIRECTORY-Root using the root cert
crypto pki authenticate HYBRID-Root
<paste root cert>
! Authenticate DIRECTORY using the root cert
crypto pki authenticate DIRECTORY
<paste root cert>
! Import signed cert against DIRECTORY
crypto pki import DIRECTORY cert
<paste signed cert>
This has always worked fine, until recently we've noticed on one of our SSL modules, that we get the following error when authenticating the intermediate cert against DIRECTORY-Intermediate
Trustpoint 'DIRECTORY-Intermediate' is a subordinate CA. Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL
Hence i can't continue to install the rest of the chain. Am going to chase this up via TAC, however i wanted to post this here just to know whether there is anything that immediately sticks out to people, as far as the procedure we follow or anything else?
Example of Importing PEM Files for Three Levels of Certificate Authority" does cover the mulitiple CA installation, but when I followed this, I did root CA installation, the cert got authenticated. I created trustpoint for first intermediate CA and then tried authenticating it threw me an error saying this
Trustpoint "XXXXXXXX' is a subordinate CA. Authentication failed - could not validate certificate% Error in saving certificate: status = FAIL
I have masked trustpoint name with XXX.
Still not understanding how to authenticate the CAs including the root.
Moquery is the command line cousin of Vizore, it's very helpful and efficient sometimes during the troubleshooting. This article aims to provide moquery cheat sheet to the users for some most common seen scenarios.
Here is the checklist before customers/partners contact Cisco TAC:
Firmware Version of APIC and Switch
Download Switch and APIC techsupport logs
Problem description (Symptoms with details)
Business impact (eg, what kind of services...
moquery usageAPIC moquerySwitchmoquery
This document discuss a common issue observed during the VMM integration & VM workload migration to ACI fabric.
VMware Virtual machines are hosted in Cisco UCS-B seri...