Cisco NX-OS: gNOI endpoint `LoadCertificateRequest` does not allow setting `ca_certificate`

[swagner-de]

Problem Statement

The Cisco NXOS gNOI API for the LoadCertificateRequest endpoint (see here) does not allow setting a ca_certificate, which prevents installing certificates from a private CA. The client cannot validate the chain of trust as it cannot be linked to the issuing CA because the field is missing. This restriction effectively limits certificate installation to self-signed certificates only.

This script can be run to trigger the condition.

Vendor Acknowledgement

Cisco has labeled this issue as a feature request rather than a bug, but we argue that in conjunction with #161, the gNOI endpoint cannot handle private CA installations at all. See CSCws33167.

Additionally, this gNOI endpoint leaks private keys to the disk by running crypto ca import $trustpoint pkcs bootflash:temp_pkcs_$hex_value cisco123 in the background, where cisco123 is a static password used on every import.

Workarounds

Provision and manage TLS certificates via ZTP and NX-API for better security and control over the certificate installation process.