Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
40
Helpful
3
Replies

Enterprise Certificate Management

Steytler
Level 1
Level 1

‎02-28-2022 10:55 AM

I'm using the SD-WAN Documentation page to learn Enterprise Cert Management.  https://www.cisco.com/c/en/us/td/docs/routers/sdwan/config/vEdge-sdwan20.html

 

The Cert Management is under "Installation and Getting Started."  I used the drop down to select different versions because I know there are distinct features that have become avail with each major release.  What's happening is that although I have selected a distinct version, I am sent to the same page.  Somewhere in all this documentations there has to be a "Recommended" solution for which Root CA is supported/recommended.

 

The SD-WAN controller Certificates and Authorized Serial Number File Prescriptive Deployment Guide for a Enterprise Root Cert CA does not identify a recommended Root CA platform either.  

"Some examples include Linux-based XCA, TinyCA, or OpenSSL (which is part of all Linux distributions) or Windows (where you can install an Ubuntu shell or OpenSSL)"

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-controller-cert-deploy-guide.html#Option5EnterpriseRootCertificateAuthorityCA

  

Does Cisco have a recommended Enterprise Root Cert platform?  Or maybe they did and subsequent versions have included others?  I am not able to find in any docs.

 

Thx

3 Replies 3

svemulap@cisco.com
Cisco Employee
Cisco Employee

‎03-01-2022 04:32 PM

Hi Steytler -

By default, Cisco has its own root-CA for SD-WAN which can be signed via Cisco-PKI. For this, customer needs to have a valid SA / VA (smart-account / virtual-account)

The preferred (default) root-CA is using Cisco PKI. If not, customer can have their own enterprise root cert, with their own signing authority.

HTH

Steytler
Level 1
Level 1
In response to svemulap@cisco.com

‎03-02-2022 06:21 AM

Thank you for that and you touched on my very question. If a customer is not using Cisco-PKI and has their own Enterprise Ca, what is the Cisco recommended solution platform? Or maybe I should ask it this way. IF a customer is running an older version and there is no intent to upgrade and they are using and Enterprise CA, what CA platform does Cisco recommend?
Again - I've looked through many docs, but cannot find the info and I'm telling you there is absolutely a recommended solution. Its just not avail in any documentation.

svemulap@cisco.com
Cisco Employee
Cisco Employee
In response to Steytler

‎03-02-2022 10:58 AM

hi Steytler -

Cisco/Viptela doesn't used to recommend customers to which CA that they should use, in the past for On-Prem customers.

Some of our customers, (on-prem) used their own CA authority.

In the past (old codes), we use to get it signed through Symantec. (cisco-hosted)

As mentioned in the earlier post, from 19.2 and above, we recommend Cisco PKI as CA authority.

Hope it is clear.
Customers Also Viewed These Support Documents