### How to apply a cert to the ASE version of MSO?

I was recently asked this question by a customer and I’m documenting how to do this for the benefit of everyone.

Before proceeding let’s gather all the items that we will need to make this happen.

Update 10/23/2020:   For MSO (on SE) certs the last action is to activate the key-ring.   Unfortunately, that part will still fail because of bug: CSCvv00400.  This issue will not be there in ND 2.0 (Nexus Dashboard) and MSO 3.2.   Maybe, they will also fix it in a patched release of SE 1.1.3d, but I am not certain of that.   I am still keeping this writeup though, because it is a very good guidance to certificates in general and much more than just MSO.  You can use these procedures to generate and install certificates for many devices/systems.

Below is the issue you will see when trying to activate the key-ring (due to bug CSCvv00400.

What we will need:

1. CA’s root and Intermediate certificates
3. Your Certificate that you got from the CA

CA’s Root and Intermediate certificates

You should be able to get this from your CA’s website.  The screenshot below shows digicert’s root/intermediate certificates

In this example,  I will not use a CA ( I don’t have an account myself), so, I will pretend to be my own CA (fake CA).  For that reason, I’ll make a fake CA Key and CA Certificate.

openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout ca.key -out ca.crt -subj '/CN=FakeCA.com/O=FakeCA/C=US'

After doing this you will get a “ca.crt” and “ca.key” file

Next you need to generate your private ssl key

openssl genrsa -out acme.key 2048

If you wanted to you can also get the public key out which is the pair to the private key

openssl rsa -in acme.key -pubout -out acme.pub

Next you need to generate the Certificate Signing Request

openssl req -new -key acme.key -out acme.csr -subj '/CN=acme.com/O=acme.com/C=US'

Now, you will need to submit the CSR to your CA (while logged in with your account), and obtain your certificate from the CA.   In this fake scenario,  I will sign the CSR with the Fake CA’s private key and the ca.crt

openssl x509 -req -in acme.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out acme.crt -days 1000

It’s always good to verify your certificate

openssl x509 -in acme.crt -text

Now we have everything we need to start putting in MSO.  Let’s do a quick recap of what we have and what we need