Secure NX-API calls using HTTPS with a self-signed certificate.

Cisco NX-API documentation states...

NX-API is an enhancement to the Cisco Nexus 9000 Series CLI system, which supports XML output. NX-API also supports JSON output format for specific commands.

  • NX-API uses HTTP/HTTPS as its transport. CLIs are encoded into the HTTP/HTTPS POST body.
  • NX-API supports HTTPS. All communication to the device is encrypted when you use HTTPS.
  • NX-API is integrated into the authentication system on the device. Users must have appropriate accounts to access the device through NX-API. NX-API uses HTTP basic authentication. All requests must contain the username and password in the HTTP header. You should consider using HTTPS to secure your user's login credentials.


First, generate a self-signed certificate off-box, then copy the files to the switch supervisor(s) and configure the NX-API feature with HTTPS using the self-signed certs.

Generate a Certificate

  1. Generate a self-signed certificate off-box, using OpenSSL on any linux host.

    The -nodes argument is used because NX-OS cannot import a passphrase encrypted key file; ref: CSCva75989... This bug is still present in NX-OS version 7.0(3)I7(4).

    openssl req -x509 -newkey rsa:4096 -keyout nxapi-key.pem -out nxapi-cert.pem -days 36500 -nodes

Copy the Files

  1. Create a directory on the active supervisor to store the certs (optional), copy the files to the switch.

    Replace {username}, {server}, and {path} in the following commands accordingly.

    mkdir bootflash:nxapi
    copy scp://{username}@{server}/{path}/nxapi-cert.pem bootflash://sup-1/nxapi/
    copy scp://{username}@{server}/{path}/nxapi-key.pem bootflash://sup-1/nxapi/
  2. Copy the files over to the standby supervisor (into the same directory), if it exists.

    mkdir bootflash:sup-2/nxapi
    copy bootflash://sup-1/nxapi/nxapi-cert.pem bootflash://sup-2/nxapi/
    copy bootflash://sup-1/nxapi/nxapi-key.pem bootflash://sup-2/nxapi/

Configure the Switch

  1. Enter configuration mode and enable the NX-API feature on the switch.

    feature nxapi
  2. Disable HTTP API access, define HTTPS port, and specify VRF (all optional).

    no nxapi http
    nxapi https port 8443
    nxapi use-vrf management
  3. Configure NX-API to use the self-signed certificates.

    nxapi certificate httpscrt certfile bootflash:nxapi/nxapi-cert.pem
    nxapi certificate httpskey keyfile bootflash:nxapi/nxapi-key.pem
    nxapi certificate enable
  4. Remember to write the config.

    copy run start