In this tutorial we will be going over the process for generating and installing custom SSL certificates for use in your ACI fabric.
* Fabric discovery completed
* Have all Certificate Authority servers configured for certificate generation
* Verify that the time on your APICs is current and correct. If the time of your APICs falls outside the validity period of your custom SSL certificate, certificate installation will fail
My other tutorial NTP Configuration in ACI will assist you with the necessary ACI NTP configuration to make sure that your APICs and fabric switch clocks are synced correctly
* ACI fabric running 3.1(2m)
* 3 CAs (1 root and 2 subordinate) running Windows Server 2008 R2
Creating the ACI Certificate Authority:
The first step in configuring a custom SSL certificate is to create a certificate authority in ACI. To create the ACI CA navigate to the following APIC web GUI path:
Admin -> AAA -> Public Key Management -> Certificate Authorities
This is where we define the entire certificate chain. The certificate chain consists of all the certificates in the path all the way from the subordinate CA to the root CA. My certificate chain is as follows:
You can see above that I have a single root CA and multiple subordinate CAs. The top of our certificate chain will be ROOT-CA followed by INTER-CA-1, and then finally INTER-CA-2
If you are running a Windows Server you can obtain the entire certificate chain by going to the following URL in a web browser on the CA which is at the bottom of the certificate chain (in our case INTER-CA-2).
Select Base 64 as the Encoding method. And select Download CA certificate. You DO NOT want to select Download CA certificate chain. Doing so will compress all CA certificates into a single chain, which ACI will not accept.
You can extract the Base 64 certificate from the file you just saved just by opening the file in Notepad or another text editor. This certificate body will only be for the CA we downloaded the certificate from (in our case INTER-CA-2).
Save the file, and continue exporting the remaining CAs. After all the CA certificates have been exported, open them each with Notepad or another text editor and copy each of the file contents to a single text file. Use the certificate chain format below:
INTER-CA-2 CERTIFICATE CONTENT HERE
INTER-CA-1 CERTIFICATE CONTENT HERE
ROOT-CA CERTIFICATE CONTENT HERE
After submitting the ACI CA certificate chain configuration, the next step is to create an ACI Key Ring.
Creating the ACI Key Ring:
Assign a Name, select a Modulus, and select the CA we just created from the drop down list. Leave the Certificate field empty, we will come back to this later. After submitting the Key Ring configuration, the next step is to create the ACI Certificate Request.
Creating the ACI Certificate Request:
Right click your newly created key ring and select Create Certificate Request:
The Subject field requires the Fully Qualified Domain Name or Distinguished Name of one of the APICs. The Alternate Subject Name field will be used for the other APICs. Inserting Alternate Subject Names from the APIC GUI was not introduced until ACI 3.0.x code. Additionally, currently the Alternate Subject Name field only supports up to 64 characters. The following enhancement has been filed to support up to 1024 characters:
If you are not running a code version which allows greater than 64 characters for the Alternate Subject Name, then please contact Cisco TAC. Cisco TAC has a method of generating the Certificate Request from the APIC CLI.
After submitting the Certificate Request in the APIC GUI, the entire Certificate Request body can be found in the following APIC web GUI path:
Admin -> AAA -> Public Key Management -> Key Rings -> YOUR_KEY_RING_HERE -> Certificate Request
The next step is to submit this Certificate Request to your bottom level CA, in our case INTER-CA-2. Navigate to the following URL on your CA you will submit the request to:
Paste in your Certificate Request generated by ACI, select Web Server as the Certificate Template, and click Submit.
After saving the certificate you can double click it to verify the entire Certification Path:
The next step is to open the final certificate we just generated in a text editor and copy the entire contents to the ACI Key Ring configuration. Navigate to the following APIC web GUI path to insert the final generated certificate:
Admin -> AAA -> Public Key Management -> Key Rings -> YOUR_KEY_RING_HERE
After pasting and submitting the certificate, the Admin State should go from Started to Completed. The final step in the process is to apply the newly created certificate so that it can be used.
Applying the Certificate Across the Fabric:
To apply the certificate navigate to the following APIC web GUI path:
Fabric -> Fabric Policies -> Pod Policies -> Policies -> Management Access -> YOUR_MANAGEMENT_ACCESS_POLICY_HERE
This completes the necessary configuration for creating and installing a custom SSL certificate in ACI.