Introduction
This document outlines the recommended procedure for determining the Root CA chain for a given certificate within a Cisco SD-WAN Enterprise CA deployment, using the SD-WAN Manager certificate as an example.
Problem
In a enterprise deployment of Cisco Catalyst Manager (formerly SD-WAN Manager), it's possible to have multiple Issuer Certificates sometimes sharing the same Common Name (CN). This can introduce ambiguity when determining the correct certificate chain—especially when certificates are issued by different Issuing Certificate Authorities (CAs) and have overlapping validity periods.
This document provides guidance on how to accurately determine the Root CA chain for any given certificate, using the SD-WAN Manager certificate as an illustrative example. This helps ensure proper certificate validation and avoids potential manual verification issues during the lifecycle.
Assume current date is Jan'2025
Figure1: Multiple CA with same name in RootCA Management
Solution
Step1:
Download the certificate file from SD-WAN Manager.
Step 2:
Download entire RootCA from SD-WAN Manager, access vshell from SD-WAN Manager via ssh.
vmanage# vs
vmanage:~$ more /usr/share/viptela/root-ca.crt
Now that we have two certificate to compare lets name the SD-WAN Manager certificate as manager.pem and lets keep the `root-ca.crt` as the same; as long as its ASCII encoded the extension has little to no influence.
We are going to use openssl command on a unix machine.
Lets read whats inside manager.pem
openssl x509 -in manager.pem -text -noout
Certificate: Data: Version: 3 (0x2) Serial Number: 16:00:3e:04:da:d9:5a:24:71:8e:d0:16:2f:00:01:00:3e:04:da Signature Algorithm: sha256WithRSAEncryption Issuer: DC=com, DC=CorpABC, DC=internal, CN=CorpABCA1IssuingCA01 Validity Not Before: Mar 9 15:38:43 2024 GMT Not After : Mar 9 15:38:43 2026 GMT Subject: C=US, ST=CT, L=Bloomfield, O=CorpABC, OU=SSL, OU=SSL, CN=vmanage-8453945e-2b16-4bba-a629-d5b53c7abdf9-3.CorpABC.com, emailAddress=GNSRemoteConnectivityEngineering@CorpABC.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cd:27:4e:a4:4d:c7:94:5e:2a:19:04:f1:d8:a4: 2f:d7:a4:3f:aa:42:4c:96:f3:36:d7:4e:43:12:b6: 81:99:5a:37:f3:ef:9f:de:c2:ed:da:7e:ef:2b:da: 18:b8:26:8a:39:ce:c0:08:f7:54:87:14:ec:49:f9: 7b:cb:39:d4:82:f3:f1:2f:fc:80:cf:e1:69:49:af: <snip/> Exponent: 65537 (0x10001) X509v3 extensions: Microsoft Application Policies Extension: 0.0 ..+.......0 ..+....... Microsoft certificate template: 0..&+.....7.....`...!.......R...uI...f......d... Authority Information Access: CA Issuers - URI:ldap:///CN=CorpABCA1IssuingCA01,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=root,DC=w2k?cACertificate?base?objectClass=certificationAuthority CA Issuers - URI:http://crl.sys.CorpABC.com/CorpABCA1IssuingCA01(1).crt OCSP - URI:http://crl.sys.CorpABC.com/ocsp X509v3 Subject Key Identifier: 55:88:2D:4A:F0:3A:42:67:7D:2A:DB:A8:AC:22:EB:5F:06:31:03:15 X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=CorpABCA1IssuingCA01(1),CN=CIWISCAP0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=root,DC=w2k?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://crl.sys.CorpABC.com/CorpABCA1IssuingCA01(1).crl X509v3 Authority Key Identifier: 84:41:39:F5:4D:E4:0C:84:C7:58:42:13:77:63:7A:3A:9A:42:84:1E X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:vmanage-8453945e-2b16-4bba-a629-d5b53c7abdf9-3.CorpABC.com Signature Algorithm: sha256WithRSAEncryption Signature Value: 78:37:90:56:19:b1:a2:9b:b6:2b:9a:78:29:d6:80:fd:90:1f: 72:67:07:ae:2b:59:76:e1:1c:37:21:6d:1a:bc:66:51:ac:7b: 60:1e:74:22:8f:04:2b:f8:18:56:2c:ca:d9:d1:14:34:1a:a8: cf:68:09:3f:26:b3:e0:60:dc:e0:09:77:af:0d:83:56:70:ae: 8d:ff:e8:4c:b9:ca:df:a9:0a:ad:65:7d:53:be:ca:f7:db:95: <snip/>
Take a note of X509v3 Authority Key Identifier (AKI). This will be the X509v3 Subject Key Identifier (SKI) of the IssuingCA certificate, which we will find out in next step.
Now lets read the root-ca.crt, since its a chain of certificates we need to iterate through each one to output the text from it, use the below command to iteratively read root-ca.crt, you will find the AKI of Manager matches SKI of the root chain, you can use the SKI number to match in the RootCA Management to find the respective IssuingCA. Refer Figure1: Multiple CA with same name in RootCA Management
openssl crl2pkcs7 -nocrl -certfile root-ca.crt | openssl pkcs7 -print_certs -noout -text
<snip>
Certificate: Data: Version: 3 (0x2) Serial Number: 24:00:00:00:0e:de:60:be:71:37:f3:6a:77:00:00:00:00:00:0e Signature Algorithm: sha256WithRSAEncryption Issuer: DC=com, DC=CorpABC, DC=internal, CN=CorpABCA1PolicyCA Validity Not Before: May 1 15:42:00 2023 GMT Not After : May 1 15:42:00 2025 GMT Subject: DC=com, DC=CorpABC, DC=internal, CN=CorpABCA1IssuingCA01 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:e6:27:0a:07:74:a8:b2:ec:48:b8:25:10:24:f8: ab:1b:76:fd:11:cf:e1:6a:b6:ab:ab:00:58:07:6e: fa:34:0e:ab:99:b7:e8:4f:2a:87:69:9e:ca:9e:3f: <snip/> Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.1: ..... 1.3.6.1.4.1.311.21.2: ..-...XgJ....D..y..... X509v3 Subject Key Identifier: 84:41:39:F5:4D:E4:0C:84:C7:58:42:13:77:63:7A:3A:9A:42:84:1E Microsoft certificate template: 0..&+.....7.....`...!.......R...uI...4......d.. X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: F1:A5:99:20:14:63:50:AD:DC:C7:BC:E5:86:F4:A4:DC:29:6C:52:ED X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=CorpABCA1PolicyCA,CN=CIWCAOPP0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=root,DC=w2k?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://crl.sys.CorpABC.com/CorpABCA1PolicyCA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=CorpABCA1PolicyCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=root,DC=w2k?cACertificate?base?objectClass=certificationAuthority CA Issuers - URI:http://crl.sys.CorpABC.com/CorpABCA1PolicyCA.crt Signature Algorithm: sha256WithRSAEncryption Signature Value: 61:cd:be:2a:d6:a2:15:7a:c1:5e:83:62:0f:32:56:b6:f6:d9: fa:8f:89:ea:1d:d6:3a:04:c4:a4:2a:5c:f9:d9:ea:7d:f8:c6: ec:c8:16:14:a5:fb:70:77:13:07:6c:c0:c4:8b:5b:f8:5f:84: <snip/>
Conclusion:
By methodically comparing the AKI of the device certificate with the SKI values in the Root CA chain, administrators can accurately identify the correct Issuing CA, ensuring proper trust validation and avoiding ambiguity in environments with multiple certificates sharing the same CN.
