HTTPS Certificates Setup

CVP uses nginx to front and terminate all HTTPS connections. To support HTTPS, the server must be configured with a certificate. A self-signed certificate is generated at first bootup.

The guidelines to import a certificate are:

  • Correctly fill the Subject Alternate Name (SAN) IP and DNS fields in both signed and self-signed certificates:

    • The SAN IP field must contain the IP addresses of all CVP cluster nodes; and the IP address of any IP load balancer used in front of CVP.

    • The SAN DNS field must contain the Fully Qualified Domain Name (FQDN) of the following elements:
      • All CVP cluster nodes
      • Any Canonical Names (CNAMES) and round-robin DNS names
      • Any IP load balancer used in front of CVP
    Note: Zerotouch Provisioning (ZTP) and REST API calls can fail if signed certificates are uploaded without appropriate data in SAN fields.
  • When importing a CVP certificate signed by an internal Certificate Authority (CA), the uploaded file must sequentially contain the full trust chain of PEM-encoded certificates like a server certificate, all intermediate certificates (if available), and a root certificate.
  • Leave an empty line between every two certificates when importing multiple certificates into a single file.
    Note: Do not leave an empty line at the end of the file.
  • If the server certificate is self-signed then the server and root certificates are one-and-the-same, so only that single certificate is required.
  • CVP does not support wildcard certificates.

To install an HTTPS certificate, navigate to the Settings page (Click on the gear icon) > Certificates (See the figure below).

Figure 1. Certificates Page

Install the certificate using one of the following methods:

Generating and Installing Self-Signed Certificate

Perform the following steps to generate and install a self-signed certificate:
  1. On the Certificates page, click + Add.
    CVP opens the Add CVP Certificate pop-up window. See the figure below.
    Figure 2. Add CVP Certificate Pop-Up Window
  2. Select Self Signed Certificate from the Certificate Type drop-down menu.
  3. Provide the required information.
  4. Click Add.
    CVP opens the Confirm pop-up window informing that the existing certificate will be replaced. See the figure below.
    Figure 3. Confirm Pop-Up Window
  5. Click OK.
    CVP replaces the certificate and restarts the nginx service.
    Note: When CVP is restarted, add an exception in the browser for the new certificate.

Installing Public Certificate

Perform the following steps to install a public certificate:
  1. On the Certificates page, click Import.
    CVP opens the Import CVP Certificate pop-up window. See the figure below.
    Figure 4. Import CVP Certificate Pop-Up Window
  2. Select Available Certificate from the Import type drop-down menu.
  3. Upload private key and public certificate.
  4. (Optional) Provide passphrase.
  5. Click Import.
    CVP replaces the certificate and restarts the nginx service.
    Note: When CVP is restarted, add an exception in the browser for the new certificate.

Creating a CSR

A server Certificate Signing Request (CSR) file can be created by either your internal CA (along with an associated server key) or via CVP.

Perform the following steps to create a CSR:
  1. On the Certificates page, click + Add.
    CVP opens the Add CVP Certificate pop-up window.
  2. Select Certificate Signing Request from the Certificate Type drop-down menu.
    See the figure below.
    Figure 5. Add CVP Certificate Dialogbox for CSR
  3. Provide the required information in all fields.
  4. Click Add.
    CVP opens the Add CVP Certificate dialog box displaying the complete CSR information. See the figure below.
    Figure 6. Add CVP Certificate Dialogbox with CSR Details
  5. Click Download to download the CSR file.
    Note: The CA provides the root key (For example, myCA.key) and and root certificate (For example, myCA.pem).
  6. Create a configuration file to define the SAN fields.
    Example:
    bash-4.2# cat cvp100.nh.aristanetworks.com.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = cvp100.nh.aristanetworks.com
DNS.2 = cvp100.nh
DNS.3 = cvp11.nh.aristanetworks.com
DNS.4 = cvp11.nh
DNS.5 = cvp12.nh.aristanetworks.com
DNS.6 = cvp12.nh
DNS.7 = cvp13.nh.aristanetworks.com
DNS.8 = cvp13.nh
IP.1 = 10.81.45.243
IP.2 = 10.81.45.247
IP.3 = 10.81.45.251
  7. Run the following command to generate a signed certificate from the downloaded CSR file. 
    openssl x509 -req -in downloaded_file -CA root_certificate -CAkey root_key -CAcreateserial
    -out updated_certificate_filename -days validity_period_in_days -sha256 -extfile SAN_DNS_IP_ext_filename
    Example: 
    openssl x509 -req -in CSR.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out cvp100.nh.aristanetworks.com.gui2.crt -days 365 -sha256 -extfile cvp100.nh.aristanetworks.com.ext
  8. Edit the new certificate file to add the root certificate at the end of the file.
    Example:
    bash-4.2# cat cvp100.nh.aristanetworks.com.gui2.crt
-----BEGIN CERTIFICATE-----
MIIEqz2N2cDEzLm5oLmFyaXN0YW5ldHdvcmtzLmNvbYIIY3ZwMTMubmiHBApRLfOH
[snip]
Ta7HF9MPgnc5XOlVN2PRWkEuPN1JFEuj7xute41NuTBmnqoAeuhdTbVpxuBEeoY=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIID6zCCAtOgAwIBAgIJANW5kelAXMzhMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
[snip]
2QoyIITDLQor1I/2z+RDHWCx8wEiYrsYkyzZDm/7NeGqfygXjnVJwfJBjtjpB8Y=
-----END CERTIFICATE-----
bash-4.2#
    Note: In case of intermediate certificates, add them between the new certificate and the root certificate.
  9. In the CVP, click on the gear icon > Certificates.
  10. Click Import.
    CVP opens the Import CVP Certificate dialog box.
    Figure 7. Import CVP Certificate to Bind with CSR
  11. Select Bind with CSR in the Import type dropdown menu.
  12. In the Public Certificate section, click Select files.
  13. Navigate and select the edited crt file.
  14. Click Import.

Renewing the Certificate Authority

Note: The device communication will be disrupted when these steps are executed.

The Certificate Authority (CA) in the on-premise CVP can be renewed with the following steps:

  1. SSH into the primary.
  2. Reset the Certificate Authority (CA) and stop apiserver and ingest with the following commands.
    yes | cvpi reset ca-init-v1 
cvpi stop ingest 
cvpi stop apiserver
  3. Renew CA and aeris admin certificates with the following commands. 
    cvpi init ca-init-v1 
/cvpi/apps/aeris/bin/create-admin-cert.sh
  4. Restart all stopped components. 
    cvpi start all
  5. Re-onboard all devices from the Device Onboarding page.