Solved: Re: Certificate not installed in cEdge (ISRv)

AbuRafay63 · ‎10-31-2021

Dears,

Hope you all will be fine. I want to ask about below output which showing certificate status "Not Installed" and below last line of this output showing time "12s" which is keep on restarting after few seconds. After 12 second it will be "0s" again....

Also in vManage certificate showing red "certificate installation failed"

SO what is the reason for certificate status "not installed"

i used below commands to install certificate and activate cEdge in vManage. Any step missing???

request platform software sdwan root-cert-chain install bootflash:ROOTCA.pem

#request platform software sdwan vedge_cloud activate chassis-number xxxx token xxxx

sh sdwan control local-properties
personality vedge
sp-organization-name sdwan-xxx
organization-name sdwan-xxx
root-ca-chain-status Installed

certificate-status Not-Installed
certificate-validity Not Applicable
certificate-not-valid-before Not Applicable
certificate-not-valid-after Not Applicable

enterprise-cert-status Not-Applicable
enterprise-cert-validity Not Applicable
enterprise-cert-not-valid-before Not Applicable
enterprise-cert-not-valid-after Not Applicable

dns-name 199.1.1.3
site-id 30
domain-id 1
protocol dtls
tls-port 0
system-ip 33.33.33.33
chassis-num/unique-id ISR-A6CD088B-30CF-FDA4-EBA6-A9082891B28D
serial-num No certificate installed
subject-serial-num N/A
enterprise-serial-num No certificate installed
token 00e21592059abe1711ad4ae35074c627
keygen-interval 1:00:00:00
retry-interval 0:00:00:15
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:01:02:03
embargo-check success
number-vbond-peers 1

INDEX IP PORT
-----------------------------------------------------
0 199.1.1.3 12346

number-active-wan-interfaces 1

NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX RESTRICT/ LAS
T SPI TIME NAT VM
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL CONTROL/ LR/LB CON
NECTION REMAINING TYPE CON
STUN
PRF
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------
GigabitEthernet1 192.168.102.1 12386 192.168.102.1 :: 12386 0/1 mpls up 2 no/yes/no No/N
o 0:00:00:12 0:10:29:12 N 5

Kanan Huseynli · ‎11-01-2021

Hi,

normally vmanage should push root CA list. While it also pushes certificate signed by itself (this is valid if you choose "vmanage certificate for routers"), router may reject for some reasons. For example, org-name mismatch or time mismatch. Certificate should be valid with respect to router's local time. So, just check time in router and vmanage.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎11-01-2021

Hi,

normally vmanage should push root CA list. While it also pushes certificate signed by itself (this is valid if you choose "vmanage certificate for routers"), router may reject for some reasons. For example, org-name mismatch or time mismatch. Certificate should be valid with respect to router's local time. So, just check time in router and vmanage.

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

AbuRafay63 · ‎11-03-2021

Thanks kanan. issue solved by i changed ISRv to CSR1k but i am sure time was not matched.

roadrocker31 · ‎08-07-2024

=============

Please ignore this reply of mine, this is for some other thread....

=============

Thanks for your reply, really appreciate it.

I am using vManage as my ROOT CA, and the CSR properties set as in attached screenshot.