NXAPI Certificates

Cisco NX-OS switches require an SSL certificate to function in NX-API HTTPS mode. You can generate the SSL certificates and get it signed by your CA. You can install the certificates manually using CLI commands on switch console or use Cisco Nexus Dashboard Fabric Controller to install these on switches.

Cisco Nexus Dashboard Fabric Controller provides a Web UI framework to upload NX-API certificates to Nexus Dashboard Fabric Controller. Later, you can install the certificates on the switches that are managed by Nexus Dashboard Fabric Controller.


Note

This feature is supported on switches running on Cisco NXOS version 9.2(3) or higher.


Certificate Generation and Management

For each switch, the data center administrator generates an ASCII (base64) encoded certificate. This certificate comprises two files:

  • .key file that contains the private key

  • .crt/.cer/.pem file that contains the certificate

Cisco Nexus Dashboard Fabric Controller also supports a single certificate file that contains an embedded key file, that is, the .crt/.cer/.pem file, which can also contain the contents of the .key file.

Nexus Dashboard Fabric Controller doesn’t support binary encoded certificates, that is, the certificates with the .der extension are not supported. You can protect the key file with a password for encryption. Cisco Nexus Dashboard Fabric Controller does not mandate encryption; however, as this is stored on Nexus Dashboard Fabric Controller, we recommend that you encrypt the key file. Nexus Dashboard Fabric Controller supports AES encryption.

You can either choose CA-signed certificates or self-signed certificates. Cisco Nexus Dashboard Fabric Controller does not mandate the signing; however, the security guidelines suggest you use the CA-signed certificates.

You can generate multiple certificates meant for multiple switches, to upload to Nexus Dashboard Fabric Controller. Ensure that you name the certificates appropriately, to help you choose the switch meant for that certificate.

You can upload one certificate and the corresponding key file, or bulk upload multiple certificates and key files. After the upload is complete, you can view the upload list before installing these on the switches. If a certificate file that contains an embedded key file is uploaded, Nexus Dashboard Fabric Controller derives the key automatically.

Certificate and the key file must have the same filename. For example, if a certificate filename is mycert.pem, the key filename must be mycert.key. If the certificate and key pair filenames are not the same, then Nexus Dashboard Fabric Controller will not be able to install the certificate on the switch.

Cisco Nexus Dashboard Fabric Controller allows you to bulk install the certificates to the switches. Because bulk installation uses the same password, all encrypted keys must be encrypted with the same password. If the password is different for a key, you cannot install the certificate in bulk mode. Bulk mode installation allows you to install encrypted and unencrypted keys certificates together, but all the encrypted keys must have the same password.

When you install a new certificate on the switch, it replaces the existing certificate and replaces it with the new certificate.

You can install the same certificate on multiple switches; however, you cannot use the bulk upload feature.


Note

Nexus Dashboard Fabric Controller doesn’t enforce the validity of certificates or options provided in it. It is up to you and the requirements on the switch to follow the convention. For example, if a certificate is generated for Switch-1 but it is installed on Switch-2, Nexus Dashboard Fabric Controller doesn’t enforce it; switches may choose to accept or reject a certificate based on the parameters in the certificate.


NX-API Certificate Verification by Cisco Nexus Dashboard Fabric Controller

From release 12.0.1a onwards, Cisco Nexus Dashboard Fabric Controller supports a capability to verify NX-API certificates offered by switches. The NX-API requests done by Cisco Nexus Dashboard Fabric Controller require SSL connection, and switches act like SSL server and offer server certificate as part of SSL negotiations. If provided a corresponding CA certificate, Cisco Nexus Dashboard Fabric Controller can verify it.


Note

By default, NX-API certificate verification is not enabled because it requires all switches in the data center to have the CA-signed certificates installed, and Cisco Nexus Dashboard Fabric Controller is fed all the corresponding CA certificates.


Cisco Nexus Dashboard Fabric Controller NX-API certificate management provides two functionalities named as Switch Certificates and CA Certificates to manage the same.

Switch Certificates

Uploading Certificates

To upload the certificates onto Nexus Dashboard Fabric Controller, perform the following steps:

  1. Click Upload Certificate to upload the appropriate certificate file.

  2. Browse your local directory and choose the certificate key pair that you must upload to Nexus Dashboard Fabric Controller.

    You can choose certificates with extension .cer/.crt/.pem + .key file separately.

    Cisco Nexus Dashboard Fabric Controller also allows you to upload a single certificate file that contains an embedded key file. The key file is automatically derived after upload.

  3. Click Upload to upload the selected files to Nexus Dashboard Fabric Controller.

    A successful upload message appears. The uploaded certificates are listed in the table.

    The table shows the Status as UPLOADED. If the certificate is uploaded without the key file, the status shows KEY_MISSING.

Assigning Switches and Installing Certificates

To install certificates on the switches using Cisco Nexus Dashboard Fabric Controller Web UI, perform the following steps:

  1. Select one or multiple certificates check box.

  2. From the Actions drop-down list, select Assign Switch & Install.

  3. In the NX API Certificate Credentials field, provide the password which was used to encrypt the key while generating the certificates.

    The Password field is mandatory, however, if the keys were not encrypted using a password, any random string you can enter, for example, test, install, and so on. In case of unencrypted files, passwords are not used, but you still need to enter any random string because it is bulk mode.


    Note

    You can install unencrypted and encrypted keys and a certificate in a single bulk install; however, you must provide the key password used for encrypted keys.


  4. For each certificate, click on the Assign arrow and select the switch to associate with the certificate.

  5. Click Install Certificates to install all the certificates on their respective switches.

CA Certificates

Uploading Certificates

To upload the certificates onto Nexus Dashboard Fabric Controller, perform the following steps:

  1. Click Upload Certificate to upload the appropriate license file.

  2. Browse your local directory and choose the certificate-key pair that you must upload to Nexus Dashboard Fabric Controller.

    You can choose certificates with the .cer/.crt/.pem file extension separately.


    Note

    The CA Certificates are public certificates and do not contain any keys; also, keys are not needed for this operation. This is the certificate which Cisco Nexus Dashboard Fabric Controller needs to verify the NX-API certificates offered by the switches. In other words, the CA certificates are only consumed by Cisco Nexus Dashboard Fabric Controller and never installed on the switches.


  3. Click Upload to upload the selected files to Nexus Dashboard Fabric Controller.

    A successful upload message appears. The uploaded certificates are listed in the table.

Assigning Switches and Installing Certificates

These certificates are only consumed by Cisco Nexus Dashboard Fabric Controller, and not installed on switches.

Unlinking and Deleting Certificates

The CA certificates do not require to be unlinked, as they are never installed on switches.

CA certificates can still be deleted because one may need to bring new certificates for a given CA.

From the Actions drop-down list, select Delete. The certificate is deleted from Nexus Dashboard Fabric Controller.

Enabling NX-API Certificate Verification

The NX-API certificate verification can be enabled using the toggle button on the CA Certificates page. However, this must be done only after all the switches managed by Cisco Nexus Dashboard Fabric Controller are installed with CA-signed certificates and the corresponding CA Root certificates (one or more) are uploaded to Cisco Nexus Dashboard Fabric Controller. When this is enabled, the Cisco Nexus Dashboard Fabric Controller SSL client starts verifying the certificates offered by the switches. If the verification fails, the NX-API calls will also fail.


Note

  • Verification of the NX-API certificates can not be enforced per switch; it is for either all or none. Hence, it is important that the verification is enabled only when all the switches have their corresponding CA-signed certificates installed.

  • It is also required that all the CA certificates are installed on the Cisco Nexus Dashboard Fabric Controller.

  • Once an NX-API call fails for a given switch because of verification issues, the toggle button can be used to disable enforcement, and all goes back to the previous state without any consequences.

  • Because of the above points, you must enable the enforcement during a maintenance window.