Configuring a Custom Certificate for Cisco ACI HTTPS Access Using the REST API
Caution:
PERFORM THIS TASK ONLY DURING A MAINTENANCE WINDOW AS THERE IS A POTENTIAL FOR DOWNTIME. The downtime affects access to the Cisco Application Policy Infrastructure Controller (APIC) cluster and switches from external users or systems and not the Cisco APIC to switch connectivity. The NGINX process on the switches will also be impacted, but that will be only for external connectivity and not for the fabric data plane. Access to the Cisco APIC, configuration, management, troubleshooting, and such will be impacted. The NGINX web server running on the Cisco APIC and switches will be restarted during this operation.
Procedure
Before you begin:
- Determine from which authority you will obtain the trusted certification so that you can create the appropriate Certificate Authority.
Create a root CA certificate (in UI under
Admin>AAA>Security>Certificate Authorities).Example:
HTTP POST: /api/node/mo/uni/userext/pkiext/tp-CustomRootCA.json Payload: { "pkiTP": { "attributes": { "name": "CustomRootCA", "descr": "My Custom Root CA", "certChain": "-----BEGIN CERTIFICATE-----\My Custom Root CA\n-----END CERTIFICATE-----", "status": "created" } } }Create the custom Keyring (in UI under
Admin>AAA>Security>Key Rings).Example:
ECC
HTTP POST: /api/node/mo/uni/userext/pkiext/keyring-mycustomkeyring.json Payload: { "pkiKeyRing": { "attributes": { "keyType": "ECC", "modulus": "none", "regen": "false", "name": "mycustomkeyring", "descr": "My EC KeyRing", "eccCurve": "secp384r1", "tp": "ECRootCA", "status": "created" } } }RSA
HTTP POST: /api/node/mo/uni/userext/pkiext/keyring-mycustomkeyring.json Payload: { "pkiKeyRing": { "attributes": { "keyType": "RSA", "modulus": "mod2048", "regen": "false", "name": "mycustomkeyring", "descr": "My RSA KeyRing", "eccCurve": "", "tp": "RSARootCA", "status": "created" } } }Generate the certificate request for the keyring.
Example:
HTTP POST: /api/node/mo/uni/userext/pkiext/keyring-mycustomkeyring/certreq.json Payload: { "pkiCertReq": { "attributes": { "subjName": "myapic.cisco.com", "altSubjName": "DNS:external.myapic.cisco.com", "locality": "San Jose", "state": "CA", "country": "US", "orgName": "Cisco Systems", "orgUnitName": "Finance", "email": "test@cisco.com" } } }Get the certificate request signed by the CA and upload the signed certificate for the keyring.
Example:
RSA
HTTP POST: /api/node/mo/uni/userext/pkiext/keyring-mycustomkeyring.json Payload: { "pkiKeyRing": { "attributes": { "status": "", "adminState": "started", "cert": "-----BEGIN CERTIFICATE-----\nMy Signed Certificate\n-----END CERTIFICATE-----", "descr": "My Custom KeyRing", "eccCurve": "", "key": "-----BEGIN PRIVATE KEY-----\nMy Private Key\n-----END PRIVATE KEY-----", "keyType": "RSA", "modulus": "mod2048", "name": "mycustomkeyring", "regen": "no", "tp": "RSARootCA" } } }ECC
HTTP POST: /api/node/mo/uni/userext/pkiext/keyring-mycustomkeyring.json Payload: { "pkiKeyRing": { "attributes": { "status": "", "adminState": "started", "cert": "-----BEGIN CERTIFICATE-----\nMy Signed Certificate\n-----END CERTIFICATE-----", "descr": "My Custom KeyRing", "eccCurve": "secp384r1", "key": "-----BEGIN PRIVATE KEY-----\nMy Private Key\n-----END PRIVATE KEY-----", "keyType": "ECC", "modulus": "", "name": "mycustomkeyring", "regen": "no", "tp": "ECRootCA" } } }Add the custom keyring to HTTPS Access (in UI menu bar under
Fabric>Fabric Policies, click onPod Policies>Policies>Management Access>defaultin the Navigation pane, and select your custom key ring from theKey Ringdrop-down list).Example:
HTTP POST : /api/node/mo/uni/fabric/comm-default/https.json Payload : { "commHttps":{ "attributes":{ "dn":"uni/fabric/comm-default/https", "status":"modified"}, "children":[{ "commRsKeyRing":{ "attributes":{ "tnPkiKeyRingName":"mycustomkeyring"},"children":[] } }] } }
What to do next
- For more information on security configurations, see Cisco APIC Security Configuration Guide.