Certificate Generation and Management
For each switch, the data center administrator generates an ASCII (base64) encoded certificate. This certificate comprises two files:
-
.key file that contains the private key
-
.crt/.cer/.pem file that contains the certificate
Cisco Nexus Dashboard Fabric Controller also supports a single certificate file that contains an embedded key file, that is, the .crt/.cer/.pem file, which can also contain the contents of the .key file.
Nexus Dashboard Fabric Controller doesn’t support binary encoded certificates, that is, the certificates with the .der extension are not supported. You can protect the key file with a password for encryption. Cisco Nexus Dashboard Fabric Controller does not mandate encryption; however, as this is stored on Nexus Dashboard Fabric Controller, we recommend that you encrypt the key file. Nexus Dashboard Fabric Controller supports AES encryption.
You can either choose CA-signed certificates or self-signed certificates. Cisco Nexus Dashboard Fabric Controller does not mandate the signing; however, the security guidelines suggest you use the CA-signed certificates.
You can generate multiple certificates meant for multiple switches, to upload to Nexus Dashboard Fabric Controller. Ensure that you name the certificates appropriately, to help you choose the switch meant for that certificate.
You can upload one certificate and the corresponding key file, or bulk upload multiple certificates and key files. After the upload is complete, you can view the upload list before installing these on the switches. If a certificate file that contains an embedded key file is uploaded, Nexus Dashboard Fabric Controller derives the key automatically.
Certificate and the key file must have the same filename. For example, if a certificate filename is mycert.pem, the key filename must be mycert.key. If the certificate and key pair filenames are not the same, then Nexus Dashboard Fabric Controller will not be able to install the certificate on the switch.
Cisco Nexus Dashboard Fabric Controller allows you to bulk install the certificates to the switches. Because bulk installation uses the same password, all encrypted keys must be encrypted with the same password. If the password is different for a key, you cannot install the certificate in bulk mode. Bulk mode installation allows you to install encrypted and unencrypted keys certificates together, but all the encrypted keys must have the same password.
When you install a new certificate on the switch, it replaces the existing certificate and replaces it with the new certificate.
You can install the same certificate on multiple switches; however, you cannot use the bulk upload feature.
Note |
Nexus Dashboard Fabric Controller doesn’t enforce the validity of certificates or options provided in it. It is up to you and the requirements on the switch to follow the convention. For example, if a certificate is generated for Switch-1 but it is installed on Switch-2, Nexus Dashboard Fabric Controller doesn’t enforce it; switches may choose to accept or reject a certificate based on the parameters in the certificate. |
NX-API Certificate Verification by Cisco Nexus Dashboard Fabric Controller
From release 12.0.1a onwards, Cisco Nexus Dashboard Fabric Controller supports a capability to verify NX-API certificates offered by switches. The NX-API requests done by Cisco Nexus Dashboard Fabric Controller require SSL connection, and switches act like SSL server and offer server certificate as part of SSL negotiations. If provided a corresponding CA certificate, Cisco Nexus Dashboard Fabric Controller can verify it.
Note |
By default, NX-API certificate verification is not enabled because it requires all switches in the data center to have the CA-signed certificates installed, and Cisco Nexus Dashboard Fabric Controller is fed all the corresponding CA certificates. |
Cisco Nexus Dashboard Fabric Controller NX-API certificate management provides two functionalities named as Switch Certificates and CA Certificates to manage the same.
Switch Certificates
Uploading Certificates
To upload the certificates onto Nexus Dashboard Fabric Controller, perform the following steps:
-
Click Upload Certificate to upload the appropriate certificate file.
-
Browse your local directory and choose the certificate key pair that you must upload to Nexus Dashboard Fabric Controller.
You can choose certificates with extension .cer/.crt/.pem + .key file separately.
Cisco Nexus Dashboard Fabric Controller also allows you to upload a single certificate file that contains an embedded key file. The key file is automatically derived after upload.
-
Click Upload to upload the selected files to Nexus Dashboard Fabric Controller.
A successful upload message appears. The uploaded certificates are listed in the table.
The table shows the Status as UPLOADED. If the certificate is uploaded without the key file, the status shows KEY_MISSING.
Assigning Switches and Installing Certificates
To install certificates on the switches using Cisco Nexus Dashboard Fabric Controller Web UI, perform the following steps:
-
Select one or multiple certificates check box.
-
From the Actions drop-down list, select Assign Switch & Install.
-
In the NX API Certificate Credentials field, provide the password which was used to encrypt the key while generating the certificates.
The Password field is mandatory, however, if the keys were not encrypted using a password, any random string you can enter, for example, test, install, and so on. In case of unencrypted files, passwords are not used, but you still need to enter any random string because it is bulk mode.
Note
You can install unencrypted and encrypted keys and a certificate in a single bulk install; however, you must provide the key password used for encrypted keys.
-
For each certificate, click on the Assign arrow and select the switch to associate with the certificate.
-
Click Install Certificates to install all the certificates on their respective switches.
Unlinking and Deleting Certificates
After the certificates are installed on the switch, Nexus Dashboard Fabric Controller cannot uninstall the certificate from Nexus Dashboard Fabric Controller. However, you can always install a new certificate on the switch. The certificates that are not installed on the switches can be deleted. To delete the certificate installed on the switch, you must unlink the certificate from the switch, and then delete it from Nexus Dashboard Fabric Controller.
Note |
Unlinking the certificate from the switch does not delete the certificate on the switch. The certificate still exists on the switch. Cisco Nexus Dashboard Fabric Controller cannot delete the certificate on the Switch. |
To delete certificates from Nexus Dashboard Fabric Controller repository, perform the following steps:
-
Select the certificate(s) that you need to delete.
-
From the Actions drop-down list, select Unlink.
A confirmation message appears.
-
Click OK to unlink the selected certificates from the switches.
The status column shows UPLOADED. The Switch column shows NOT_INSTALLED.
-
Select the certificate that is now unlinked from the Switch.
-
From the Actions drop-down list, select Delete.
The certificate is deleted from Nexus Dashboard Fabric Controller.
CA Certificates
Uploading Certificates
To upload the certificates onto Nexus Dashboard Fabric Controller, perform the following steps:
-
Click Upload Certificate to upload the appropriate license file.
-
Browse your local directory and choose the certificate-key pair that you must upload to Nexus Dashboard Fabric Controller.
You can choose certificates with the
.cer/.crt/.pem
file extension separately.
Note
The CA Certificates are public certificates and do not contain any keys; also, keys are not needed for this operation. This is the certificate which Cisco Nexus Dashboard Fabric Controller needs to verify the NX-API certificates offered by the switches. In other words, the CA certificates are only consumed by Cisco Nexus Dashboard Fabric Controller and never installed on the switches.
-
Click Upload to upload the selected files to Nexus Dashboard Fabric Controller.
A successful upload message appears. The uploaded certificates are listed in the table.
Assigning Switches and Installing Certificates
These certificates are only consumed by Cisco Nexus Dashboard Fabric Controller, and not installed on switches.
Unlinking and Deleting Certificates
The CA certificates do not require to be unlinked, as they are never installed on switches.
CA certificates can still be deleted because one may need to bring new certificates for a given CA.
From the Actions drop-down list, select Delete. The certificate is deleted from Nexus Dashboard Fabric Controller.
Enabling NX-API Certificate Verification
The NX-API certificate verification can be enabled using the toggle button on the CA Certificates page. However, this must be done only after all the switches managed by Cisco Nexus Dashboard Fabric Controller are installed with CA-signed certificates and the corresponding CA Root certificates (one or more) are uploaded to Cisco Nexus Dashboard Fabric Controller. When this is enabled, the Cisco Nexus Dashboard Fabric Controller SSL client starts verifying the certificates offered by the switches. If the verification fails, the NX-API calls will also fail.
Note |
|