Better Understanding of the Device Certificate Process

Claudia de Luna · ‎12-15-2016

Hi,

Id like to get a better understanding of the certificate process in APIC-EM.

What happens if we say Device Certificate = False? the PNP communication takes place in clear text? If i then need a cert to establish ssh access, how does that happen as that is typically an interactive process.

If we do say "True" we now have a PNP certificate on the device. What if the APIC-EM provisioning step is a one time thing. Should we leave the cert there. What if we want to create another certificate for general ssh login access different from the PNP cert?

I suspect that all these questions are a clear indication I don't have a good grasp of this process!

Thanks for any info or pointers!

Claudia

Device Certificate*

False

sairasan · ‎12-15-2016

Configuration Guide for Cisco Network Plug and Play on Cisco APIC-EM - Configuring Cisco Network Plug and Play [Cisco …

Check the Device Certificate check box to apply the device certificate on the device. Cisco Network Plug and Play automatically generates and deploys the PKCS12 device ID certificate. Device Certificate is not supported on access point devices.

aradford · ‎12-18-2016

Hi Claudia,

there are two ways a certificate will be created on a switch (not access point).

1) If you click on device certificate, then APIC-EM will create and download a certificate to the device. This certificate can be used by SSH etc.

2) If you have "ip https server" in the config, then the device will create a self signed certificate.

#1 is probably preferable.

If you wanted to add/create other certificates, you would need to do this outside of PnP, possibly using an EEM script etc.

Does this answer your question?

Adam