How to apply a cert to the ASE version of MSO?

I was recently asked this question by a customer and I’m documenting how to do this for the benefit of everyone. 

Before proceeding let’s gather all the items that we will need to make this happen.

Update 10/23/2020:   For MSO (on SE) certs the last action is to activate the key-ring.   Unfortunately, that part will still fail because of bug: CSCvv00400.  This issue will not be there in ND 2.0 (Nexus Dashboard) and MSO 3.2.   Maybe, they will also fix it in a patched release of SE 1.1.3d, but I am not certain of that.   I am still keeping this writeup though, because it is a very good guidance to certificates in general and much more than just MSO.  You can use these procedures to generate and install certificates for many devices/systems.

Below is the issue you will see when trying to activate the key-ring (due to bug CSCvv00400.

Figure 0.1

What we will need:

  1. CA’s root and Intermediate certificates
  2. Your ssl private key
  3. Your Certificate that you got from the CA

CA’s Root and Intermediate certificates

You should be able to get this from your CA’s website.  The screenshot below shows digicert’s root/intermediate certificates

Figure 1

In this example,  I will not use a CA ( I don’t have an account myself), so, I will pretend to be my own CA (fake CA).  For that reason, I’ll make a fake CA Key and CA Certificate. 

openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout ca.key -out ca.crt -subj '/'

After doing this you will get a “ca.crt” and “ca.key” file

Figure 2

Next you need to generate your private ssl key

openssl genrsa -out acme.key 2048

Figure 3

If you wanted to you can also get the public key out which is the pair to the private key

openssl rsa -in acme.key -pubout -out

Figure 4

Next you need to generate the Certificate Signing Request

openssl req -new -key acme.key -out acme.csr -subj '/'

Figure 5

Now, you will need to submit the CSR to your CA (while logged in with your account), and obtain your certificate from the CA.   In this fake scenario,  I will sign the CSR with the Fake CA’s private key and the ca.crt

openssl x509 -req -in acme.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out acme.crt -days 1000

Figure 6

It’s always good to verify your certificate

openssl x509 -in acme.crt -text

Figure 7

Now we have everything we need to start putting in MSO.  Let’s do a quick recap of what we have and what we need

Figure 8

Now, log into MSO UI and go to Admin/Security/Certificate Authority and click on Add Certificate Authority

Figure 9

Add the root CA’s Certificate as shown below.  In Real Life you will put the Intermediate and root CA Certificates (in that order) from your CA instead

Figure 10

Now, click on Key Ring / add Key Ring

Figure 11

Fill in as shown below.   Please notice that where it says “Public Key” it actually requires you to have the certificate that you got back from your CA.  ( I just opened bug CSCvw21988 for that )

Figure 12

Next, you need to make the KeyRing Active

Figure 13

You are all done !

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.