I was recently asked this question by a customer and I’m documenting how to do this for the benefit of everyone.
Before proceeding let’s gather all the items that we will need to make this happen.
Update 10/23/2020: For MSO (on SE) certs the last action is to activate the key-ring. Unfortunately, that part will still fail because of bug: CSCvv00400. This issue will not be there in ND 2.0 (Nexus Dashboard) and MSO 3.2. Maybe, they will also fix it in a patched release of SE 1.1.3d, but I am not certain of that. I am still keeping this writeup though, because it is a very good guidance to certificates in general and much more than just MSO. You can use these procedures to generate and install certificates for many devices/systems.
Below is the issue you will see when trying to activate the key-ring (due to bug CSCvv00400.
What we will need:
- CA’s root and Intermediate certificates
- Your ssl private key
- Your Certificate that you got from the CA
CA’s Root and Intermediate certificates
You should be able to get this from your CA’s website. The screenshot below shows digicert’s root/intermediate certificates
In this example, I will not use a CA ( I don’t have an account myself), so, I will pretend to be my own CA (fake CA). For that reason, I’ll make a fake CA Key and CA Certificate.
openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout ca.key -out ca.crt -subj '/CN=FakeCA.com/O=FakeCA/C=US'
After doing this you will get a “ca.crt” and “ca.key” file
Next you need to generate your private ssl key
openssl genrsa -out acme.key 2048
If you wanted to you can also get the public key out which is the pair to the private key
openssl rsa -in acme.key -pubout -out acme.pub
Next you need to generate the Certificate Signing Request
openssl req -new -key acme.key -out acme.csr -subj '/CN=acme.com/O=acme.com/C=US'
Now, you will need to submit the CSR to your CA (while logged in with your account), and obtain your certificate from the CA. In this fake scenario, I will sign the CSR with the Fake CA’s private key and the ca.crt
openssl x509 -req -in acme.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out acme.crt -days 1000
It’s always good to verify your certificate
openssl x509 -in acme.crt -text
Now we have everything we need to start putting in MSO. Let’s do a quick recap of what we have and what we need
Now, log into MSO UI and go to Admin/Security/Certificate Authority and click on Add Certificate Authority
Add the root CA’s Certificate as shown below. In Real Life you will put the Intermediate and root CA Certificates (in that order) from your CA instead
Now, click on Key Ring / add Key Ring
Fill in as shown below. Please notice that where it says “Public Key” it actually requires you to have the certificate that you got back from your CA. ( I just opened bug CSCvw21988 for that )
Next, you need to make the KeyRing Active
You are all done !