Custom SSL Certificates in ACI

In this tutorial we will be going over the process for generating and installing custom SSL certificates for use in your ACI fabric.

Prerequisites:
* Fabric discovery completed
* Have all Certificate Authority servers configured for certificate generation
* Verify that the time on your APICs is current and correct. If the time of your APICs falls outside the validity period of your custom SSL certificate, certificate installation will fail

My other tutorial NTP Configuration in ACI will assist you with the necessary ACI NTP configuration to make sure that your APICs and fabric switch clocks are synced correctly

My Setup:
* ACI fabric running 3.1(2m)
* 3 CAs (1 root and 2 subordinate) running Windows Server 2008 R2

Topics:
* Creating the ACI Certificate Authority
* Creating the ACI Key Ring
* Creating the ACI Certificate Request
* Applying the Certificate Across the Fabric


Creating the ACI Certificate Authority:

The first step in configuring a custom SSL certificate is to create a certificate authority in ACI. To create the ACI CA navigate to the following APIC web GUI path:
Admin -> AAA -> Public Key Management -> Certificate Authorities
Screen Shot 2018-06-01 at 1.02.51 PM.png

Right click Certificate Authorities and select Create Certificate Authority
Screen Shot 2018-05-29 at 1.22.42 PM.png

This is where we define the entire certificate chain. The certificate chain consists of all the certificates in the path all the way from the subordinate CA to the root CA. My certificate chain is as follows:
-ROOT-CA
—-INTER-CA-1
——–INTER-CA-2

Screen Shot 2018-05-31 at 2.57.07 PM.png

You can see above that I have a single root CA and multiple subordinate CAs. The top of our certificate chain will be ROOT-CA followed by INTER-CA-1, and then finally INTER-CA-2

If you are running a Windows Server you can obtain the entire certificate chain by going to the following URL in a web browser on the CA which is at the bottom of the certificate chain (in our case INTER-CA-2).

http://localhost/certsrv/certcarc.asp

If navigating to the above URL on the CA server does not work, make sure you have the Certification Authority Web Enrollment role installed:
Screen Shot 2018-05-29 at 1.35.26 PM.png

Select Base 64 as the Encoding method. And select Download CA certificate. You DO NOT want to select Download CA certificate chain. Doing so will compress all CA certificates into a single chain, which ACI will not accept.

You can extract the Base 64 certificate from the file you just saved just by opening the file in Notepad or another text editor. This certificate body will only be for the CA we downloaded the certificate from (in our case INTER-CA-2).

In order to extract the certificates from the other subordinate and root CA we need to double click the just saved certificate file and click on the Certification Path tab:
Screen Shot 2018-05-29 at 1.45.13 PM.png

From here we can see the entire tree of CAs. To extract the certificate of another CA, select it from the Certification Path list, and select View Certificate.
Screen Shot 2018-05-31 at 6.13.17 PM.png

After selecting View Certificate, a new window will open for that certificate. Select the Details tab, and select Copy to File:
Screen Shot 2018-05-29 at 1.48.39 PM.png

You will go through a Certificate Export Wizard. Make sure to select Base-64 encoding:
Screen Shot 2018-05-29 at 1.50.53 PM.png

Save the file, and continue exporting the remaining CAs. After all the CA certificates have been exported, open them each with Notepad or another text editor and copy each of the file contents to a single text file. Use the certificate chain format below:

—–BEGIN CERTIFICATE—–
INTER-CA-2 CERTIFICATE CONTENT HERE
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
INTER-CA-1 CERTIFICATE CONTENT HERE
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
ROOT-CA CERTIFICATE CONTENT HERE
—–END CERTIFICATE—–

Screen Shot 2018-05-31 at 6.18.30 PM.png

After submitting the ACI CA certificate chain configuration, the next step is to create an ACI Key Ring.

Creating the ACI Key Ring:

To create the ACI Key Ring navigate to the following APIC web GUI path:
Admin -> AAA -> Public Key Management -> Key Rings
Screen Shot 2018-06-01 at 1.06.16 PM.png

Right click Key Rings and select Create Key Ring:
Screen Shot 2018-05-29 at 2.05.03 PM.png

Assign a Name, select a Modulus, and select the CA we just created from the drop down list. Leave the Certificate field empty, we will come back to this later. After submitting the Key Ring configuration, the next step is to create the ACI Certificate Request.

Creating the ACI Certificate Request:

To create the ACI Certificate Request navigate to the following APIC web GUI path:
Admin -> AAA -> Public Key Management -> Key Rings -> YOUR_KEY_RING_HERE
Screen Shot 2018-06-01 at 1.08.03 PM.png

Right click your newly created key ring and select Create Certificate Request:

Screen Shot 2018-05-29 at 2.19.03 PM.png

The Subject field requires the Fully Qualified Domain Name or Distinguished Name of one of the APICs. The Alternate Subject Name field will be used for the other APICs. Inserting Alternate Subject Names from the APIC GUI was not introduced until ACI 3.0.x code. Additionally, currently the Alternate Subject Name field only supports up to 64 characters. The following enhancement has been filed to support up to 1024 characters:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf83309/?reffering_site=dumpcr

If you are not running a code version which allows greater than 64 characters for the Alternate Subject Name, then please contact Cisco TAC. Cisco TAC has a method of generating the Certificate Request from the APIC CLI.

After submitting the Certificate Request in the APIC GUI, the entire Certificate Request body can be found in the following APIC web GUI path:
Admin -> AAA -> Public Key Management -> Key Rings -> YOUR_KEY_RING_HERE -> Certificate Request
Screen Shot 2018-05-29 at 2.35.19 PM.png

The next step is to submit this Certificate Request to your bottom level CA, in our case INTER-CA-2. Navigate to the following URL on your CA you will submit the request to:
http://localhost/certsrv/

From there select Request a certificate:
Screen Shot 2018-05-29 at 2.39.46 PM.png

Then select advanced certificate request:
Screen Shot 2018-05-29 at 2.39.53 PM.png

Then select Submit a certificate request by using base-64….
Screen Shot 2018-05-29 at 2.41.37 PM.png

Paste in your Certificate Request generated by ACI, select Web Server as the Certificate Template, and click Submit.

When prompted, select Base 64 encoded and Download certificate:
Screen Shot 2018-05-29 at 2.46.49 PM.png

After saving the certificate you can double click it to verify the entire Certification Path:

Screen Shot 2018-05-29 at 2.49.35 PM.png

You can also see the Alternate Subject Names we configured from ACI:
Screen Shot 2018-05-29 at 2.50.46 PM.png

The next step is to open the final certificate we just generated in a text editor and copy the entire contents to the ACI Key Ring configuration. Navigate to the following APIC web GUI path to insert the final generated certificate:
Admin -> AAA -> Public Key Management -> Key Rings -> YOUR_KEY_RING_HERE
Screen Shot 2018-05-31 at 6.24.45 PM.png

After pasting and submitting the certificate, the Admin State should go from Started to Completed. The final step in the process is to apply the newly created certificate so that it can be used.

Applying the Certificate Across the Fabric:

To apply the certificate navigate to the following APIC web GUI path:
Fabric -> Fabric Policies -> Pod Policies -> Policies -> Management Access -> YOUR_MANAGEMENT_ACCESS_POLICY_HERE

Under the HTTPS section you will select your Key Ring created earlier:
Screen Shot 2018-05-29 at 3.01.20 PM.png

Click Submit

This completes the necessary configuration for creating and installing a custom SSL certificate in ACI.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s