Solved: Re: Can't install certificate on vBond and vSmart

Riks1337 · ‎07-04-2023

Hi there. I wanted to set up a cisco SD-WAN topology in eve-ng. In my first try i got to install all the certificates for vManage, vBond and vSmart successfully, but realized that i had to change the organization name of my controllers so that it matches with my unique cisco smart account controller profile.

Now when i try to install the certificates it is succesfull for the vManage, but for the vBond and vSmart when I try to install the certificates ( ex: vbond.crt , vsmart.crt ) , I get the following error when I try to install via vManage(Browser):

Failed to process device request. Error Message : log : Error: root-ca-chain unable to validate the certificate... Aborting !

If I try from the vManage CLI: Public key of CSR and the cert varies ... Not installing the certificate Failed to install the certificate !!

I tried reinstalling everything a few times now , but everytime the same error. Any ideas or guidance please?

Kanan Huseynli · ‎07-05-2023

Add ROOTCA.pem file to vbond / vsmart and install root CA:

request root-cert-chain install [path]

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎07-04-2023

Hi,

which option do you use for certs; is it enterprise CA or Cisco automated/manual? Also, check time on devices.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Riks1337 · ‎07-04-2023

Controller Certificate Authorization

: Enterprise

WAN Edge Cloud Certificate Authorization

: Automated

Clock is synced on all controller devices.

I just dont understand why all the certificate installations were successfull the first time and now after i tried reinstalling with the new org name it does not work. I've done everything the same way.

Kanan Huseynli · ‎07-05-2023

Reset RSA key, create new CSR, sign it and upload it.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Riks1337 · ‎07-05-2023

Same error, I even tried reinstalling everything. vManage certificate installs succesfully, vBond says

root-ca-chain unable to validate the certificate

Kanan Huseynli · ‎07-05-2023

Did you import root chain file to vbond since you use enterprise CA?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Riks1337 · ‎07-05-2023

I did the following on vManage:

## Generate Certs on vManage
# enter vshell

#Root Key
openssl genrsa -out ROOTCA.key 2048

#RootCA
openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 2000 -subj"/C=UK/ST=Hampshire/L=Southampton/O=SDWAN-HR1337-LAB/CN=roger.local" -out ROOTCA.pem

#RootCA.key and ROOTCA.pem to generate vmanage.crt file
openssl x509 -req -in vmanage_csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vmanage.crt -days 2000 -sha256

# Install vmanage.crt ( this installed succesfully )

#Generate vBond.csr

#Sign the vBond.csr with the ROOTCA.key and ROOTCA.pem to generate vbond.crt
openssl x509 -req -in vbond.csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vbond.crt -days 2000 -sha256

# Install vbond.crt ( failed )

Riks1337 · ‎07-05-2023

I also imported in the: Controller Certificate Authorization the ROOTCA.pem file.

Kanan Huseynli · ‎07-05-2023

Add ROOTCA.pem file to vbond / vsmart and install root CA:

request root-cert-chain install [path]

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Riks1337 · ‎07-05-2023

This solved it. Thank you !!

MHM Cisco World · ‎07-05-2023

I dont know but
it is eve-ng, so you can use any cert.
If not work
delete the image and add it again.

sdwan user · ‎01-02-2025

How can i generate a ROOT-CA.pem file from a router if im using a router as a ca server