Introduction
This document describes how to use the Cisco Application Policy Infrastructure Controller (APIC) - Extension Mobility (EM) API to create - delete the certificate. With IWAN, it is all automatically configured. However, IWAN at this moment does not have any flow to recover automatically device from expired certificate.
The good part is that there is some sort of flow in automation in terms of RestAPI. But, that automation is per device and it needs some information on the device. The RestAPI flow which is outside of IWAN flow, uses some mechanism to automate the certificate for device.
Background Information
Usual Customer Topology.
SPOKE --- HUB ----- APIC_EM [Controller]
These are the three situations:
- Certificate is expired.
- Certificate is not renewing.
- Certificate is not at all available.
How will you get to know what is the current state of the device?
Run the command Switch# sh cry pki cert.
If you see, there are two certificates and here you need to check Associated Trustpoint .
End date will usually be of one year and it should be greater than the start date.
If it is sdn-network-infra-iwan then it means from APIC-EM that you have ID as well as CA Certificate registered.
How do you ensure if APIC-EM also has the same certificate or if APIC-EM has understood the same certificate or not?
a. Show version from device and collect the serial number:
With the help of this serial number you can perform APIC-EM query to find out what APIC-EM thinks about this device.
b. Navigate to API Documentation.
c. Click on Public Key Infrastructure (PKI) Broker.
d. Click on First API which will help us know the status from the API side.
Click on GET.
On one checkbox, click on serial number collected from show version output of Device.
Click on Try it out!.
Compare the output value with sh crp pki cert output of the device.
How to delete the certificate from the device?
It happens sometimes that on the device, certificate is there and in the APIC-EM it is not there. Which is why, when you run GET API you get an error message.
The solution is only one and that is to delete the certificate from device:
a. Switch# show run | I trustpoint
Run command Switch# no crypto pki trustpoint <trustpoint name>.
This command deletes all the Certificate on device associated with selected trustpoint.
Re-check if certificate is deleted.
Use the command: Switch# sh cry pki cert.
It should not show sdn trustpoint which was deleted.
b. Deletion of Key:
Run command on device: Switch# sh cry key mypubkey all.
Here you will see that the Key name starts with sdn-network-infra.
Command to delete the Key:
2. Ensure that the APIC-EM interface which is connected to the device should be Pingable.
It might happen that APIC-EM has two interfaces out of which one is Public and the other is private. In that case, ensure that the APIC-EM interface which communicates to the device ping each other.
How to Apply Certificate from APIC - EM?
Under APIC-EM, when API Documentation is clicked and PKI Broker selected, this option is available.
POST/trust-point
- This will create certificate with-in APIC - EM.
Then you need have information on the device and click on try it out.
Example:
{
"platformId":"ASR1001",
"serialNumber":"SSI161908CX",
"trustProfileName":"sdn-network-infra-iwan",
"entityType":"router",
"entityName":"HUB2"
}
- The highlighted information is STATIC and rest of all is Dynamic.
- Entity name is Hostname of the device.
- Serial number you got from the show version of the device.
- Entity type you can change based on device type.
- This imformation is needed to tell APIC-EM to configure the device. Here APIC-EM understands the serial number.
Output of Try it out!:
This output means that the file is created internally by APIC-EM and is now ready to deploy on the device.
Next step is to push this device into the bundle. To push, you need to get trust point ID. This can be done via GET API CALL.
GET/trust-point/serial-number/{serialNumber} - Query
It will give you this output. It means that the APIC-EM has the certificate with this to push on the device.
Push the certificate to the device.
POST/trust-point/{trustPointId} // trustPointId needs to be copied from GET Serial Number Query
{ "response": { "platformId": "ASR1001", "serialNumber": "SSI161908CX", "trustProfileName": "sdn-network-infra-iwan", "entityName": "HUB2", "entityType": "router", "certificateAuthorityId": "f0bd5040-3f04-4e44-94d8-de97b8829e8d", "attributeInfo": {}, "id": "c4c7d612-9752-4be5-88e5-e2b6f137ea13" }, "version": "1.0" }
This will push the certificate to device – provided there is proper connectivity.
Response Success Message:
Recheck on device:
You see that both the certificates are now pasted:
Sometimes APIC-EM has the certificate but the device does not. How can you resolve it?
There is some background task through which you can delete certificate from only APIC-EM.
Sometimes, the customer by mistake deletes the certificate from the device but in APIC-EM, it is still there.
Click on DELETE.
DELETE/trust-point/serial-number/{serialNumber} - Delete.
Enter the serial number and click Try it out!.