Cisco Support Community
Community Member

IP-based certificate subjects supported in Network Assistant?

We have an internal certificate authority and I can make my switches use it for managing them via HTTPS (ip http secure-server) in both a regular browser and in Cisco Network Assistant.  I want CNA to work with our switches without certificate errors or warnings, so we're not conditioned to "always trust" untrusted https servers and trust some non-company server by mistake.

I can create and sign certificates generated by switches running IOS 12.2(55) and later.  When visited with a browser that has the internal CA certificate trusted, I can browse switches without certificate warnings or errors.  In Cisco Network Assistant, this is almost true, with only the CA certificate not trusted.  I can fix that by editing the database of trusted CA certs (packages / runtime-1.42 / security / cacerts); there are a few tools available for managing Java-based certificate databases.

The only remaining snag is when I try to build a community in CNA, CNA insists on connecting by IP address instead of by host name.  This is fine; the CA certificate server I use supports subject alternative names and my CA-trusting browser will accept all of these as valid:


CNA will accept the first two examples ( and switch) but not the IP address.  It will complain that the host name does not match the certificate.

I know some hostname resolvers like to use different punctuation for IP-based browsing. Some prefer putting IPs in brackets and will resolve [] instead of, for instance.  I tried adding both of these to the list of subject alternative names, without CNA accepting them. Is there a magic format that CNA uses that I can make a matching subject alternative name for?

A little searching revealed that Java https clients dislike IP-based URLs. Then how about building a community using hostnames instead of IP addresses?  I can't seem to do this; CNA will obtain the IPs and use those, and subsequently complain about every switch's certificate.

Hall of Fame Super Silver

IP-based certificate subjects supported in Network Assistant?

I haven't had this problem personally but wonder if it would help to create a local hosts file for the devices in question. It's worth a try.

Hope this helps....

Community Member

IP-based certificate subjects supported in Network Assistant?

DNS isn't a problem as I have our DNS servers reporting the correct IP addresses for those host names, and I have reverse DNS set up for the IPs.

I did find this:

This says I shouldn't create a subject alternative name entry of "dns=" but rather one of "ipaddress=". I did this, and the certificate's subject alternative names did come up:


DNS Name=switch

DNS Name=

IP Address=

The IP Address attribute is new. Again, my browser deals with it OK but CNA does not, complaining the host name does not match.

Perhaps there's a different attribute I need to add besides the san= attribute when I sign the switch's certificate request? The CA server is Windows Server 2003 R2 running Certificate Services.

CreatePlease to create content