The Apstra Edge connects to Data Center Assurance using the management URL provided
during the Data Center Assurance onboarding process. This management URL is configured with an
IP address, but the default SSL cert configured in Apstra's Nginx controller only lists
DNS:apstra.com as the Subject Alternative Name (SAN). Use these steps to
generate a new SSL cert with a SAN containing a Apstra management IP.
To replace the SSL cert of Apstra's Nginx
controller:
-
Follow the steps in the following link to replace certs in Apstra Replace SSL Certificate on Apstra Server with Self-Signed
One.
Note:
During Step 3, add an extra SAN name with the desired management IP. The following
command creates a cert with a validity of 3 years. Replace -days
based on your time requirement.
root@user:~# cd /etc/aos/nginx.conf.d/
root@user:/etc/aos/nginx.conf.d# openssl req -newkey rsa:2048 -nodes -keyout nginx.key -x509 -days 1095 -out
nginx.crt -addext extendedKeyUsage=serverAuth -addext
subjectAltName=DNS:apstra.com,IP:<IP-address-of-Juniper-Cloud-Services-URL>
Note:
To check the new cert, use the following command:
root@user:/etc/aos/nginx.conf.d# openssl x509 -in nginx.crt -text -noout
-
Generate a new CA cert.
root@user:/etc/aos/nginx.conf.d# openssl x509 -in nginx.crt -inform PEM -outform PEM -out <ip-of-apstra>_ca.cert.pem -days 1095
-
Copy the generated CA cert into the host directory where you plan to install the Apstra
Edge container.
cp /tmp/<ip-of-apstra>_ca.cert.pem /etc/ssl/certs
-
Continue with Step 7 of the Apstra Edge
Container Deployment process.
