Hi and thank you for the response.

We are setting up APIC-EM as a proof of concept for our network solution and wanted to try out the functionality before investing in certificates.

I have read the documentation. It only states that Cisco recommends the CA issued certificate, but not why.

I was wondering if it was still possible to test PnP with a self signed certificate so we can make sure it works with our architecture.

Regards

Daniel

Hi Daniel,

  I need guidance from my team to answer your question  since I haven't tried PnP with a self signed certificate.

Hope you have seen this documentation Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.x - Cisco APIC-EM Sec…

that "we recommend against using and importing a self-signed certificate into the controller. Importing a valid X.509 certificate from a well-known, certificate authority (CA) is recommended. Additionally, you must replace the self-signed certificate (installed in the Cisco APIC-EM by default) with a certificate that is signed by a well-known certificate authority for the Network PnP functionality to work properly."

Thanks and Regards,

Geevarghese

Yes, I have read it.

That is the part I am wondering about. I understand in a production environment that we want to use a CA signed certificate, but was hoping we could avoid it when testing if PnP is viable for our arcithecture.

I was wondering what PnP functionality that does not work with a self signed certificate.

Regards,

Daniel

Hi Daniel,

      The error occurs if either the certificate is not downloadable/reachable OR if the certificate cannot be installed due to cert validation issue.

Best,

Pranathi

Hi Daniel,

Could you please help to provide the following information?

- What IOS image are you using on 1921 router?

- Is there any image installation involved?

- show pnp tech

Please refer to page 18 for Self-Signed Certificate based Authentication

http://wwwin-home.cisco.com/~sdnbld/APIC_EM_OVA/release/CA3/doc_pnp-xe-3e-book.pdf

Thanks,

Xuejun

We tested on a different 1921 router and got it working.

The new router we used had 15.4(3)M3 installed while the previous had 15.4(3)M2. We upgraded the image on the first router and it started working aswell.

The images were already installed on the devices at boot. There seems to be an issue with autoinstall in 15.4(3)M2. It would not automatically discover DHCP and the PnP client tried to reach devicehelper.cisco.com instead of our local APIC-EM.

We managed to bypass the autoinstall and trigger PnP by setting ip address dhcp on the interface right after boot.

Did not change any of the certificate settings, but the new image seems to handle the self signed certificate fine.

Saw in the pnp trace that it tried to reach pnpntpserver.domain. Guess this  is to sync the time on the router so it can verify that the certificate is not outdated. We had pnpserver.domain configured in DNS and added pnpntpserver now. But still it failes to get the trustpool.

The routers are now able to reach the APIC-EM and provisioning works when we upgraded to 15.4(3)M3

Hi Daniel,

For APIC-EM GA release, the recommended version for 1921 router is 15.5(3)M/15.5(3)M1. You can upgrade your router image to 15.5(3)M1 to make sure it has all supported PnP agent features.

Also, please always do “write erase” and "reload" the router so that PnP discovery can be performed.

Thanks,

Xuejun

Hi and thank you all for the replies.

We do use "write erase" and reload.

Our mistake was to use "Supported Platforms" under the Home tab in APIC-EM as a refference sheet. After we started using the Cisco Plug and Play Release Notes to fint the supported OS's, it was easier to get things working.

Regards,

Daniel