Re: Expiring SD WAN controller certificates

Electronic20 · ‎07-09-2024

Hi Community,

I have an SDWAN solution in the Cisco cloud, 2 vBond, 2 vSamrt and 1 vManage, and it is observed that their certificates are about to expire:

Furthermore, it is observed in vManage that the authorization of the controller certificates is carried out by CISCO itself:

And these are my cEdge routers:

I have several queries:

1. If it is not renewed, what type of service would be affected?

2. Under this scenario, how could I update the Controllers' certificate if Cisco itself authorizes the certificates?

3. Also, when I update the certificates, it would only be in the controllers? Or does something else have to be done on the cEdge routers?

4. During the update of the certificates in the Controllers, would the service be affected?

Waiting for support with my query

Regars

Electronic20

Torbjørn · ‎07-09-2024

I must admit that I haven't had to do a renewal with Cisco managed certificates yet. I do believe you will need to generate the CSR for your controllers yourself, but then they will be automatically signed and installed.

If you don't renew the certificates all control-connections will drop, as these certificates are used to authenticate the components. Replacing the controller certificates shouldn't cause downtime if you follow the procedure described in the following documentation(renewing the certificate for one controller at a time):

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-controller-cert-deploy-guide.html#Renewcontrolcomponentcertificates

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/manage-certificates.html#id_109050

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Electronic20 · ‎07-09-2024

Hi @Torbjørn

Would any changes have to be made to the Cedge routers? Or would it be enough to just update the Controllers certificate?

Torbjørn · ‎07-09-2024

What is the "Hardware WAN Edge Certificate Authorization" and "WAN Edge Cloud Certificate Authorization"(if you have any) set to?

If they are set to the defaults of "On box" for the hardware devices and "Automated" for cloud devices you won't have to do anything for renewal of the wan-edge certificates.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Electronic20 · ‎07-09-2024

Hi @Torbjørn

It has that configuration:

It is seen that the authorization of the certificate is carried out directly by CISCO

Under this scenario, wouldn't it be necessary to make any changes and/or certificate updates or other types of configuration on the cEdge routers? Would it only be to update the certificate only in the Controllers?

Torbjørn · ‎07-09-2024

Yes, that is correct.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Electronic20 · ‎07-12-2024

Hi @Torbjørn

Gracias, tengo una pregunta, ¿Es necesario tener soporte activo de Cisco para que CIsco me apruebe el Certificado? ¿O solo basta renovar la licencia?

Torbjørn · ‎07-12-2024

Hi @Electronic20,

I unfortunately don't speak spanish - so I google translated it and think you are asking if a valid support contract is required to renew the certificates. To quote the documentation:

"The major difference between Symantec/Digicert and Cisco PKI certificates is that Cisco PKI certificates are linked to a Smart Account (SA) and Virtual Account (VA) in Plug and Play (PnP) and do not require manual approval using a portal like Digicert. Each VA has a limit of 100 certificates, meaning that each overlay has a limit of 100 certificates, and after the certificate signing request (CSR) is generated, the approval and installation happens automatically if the Cisco SD-WAN Manager settings are set correctly."

I interpret that to mean that it is sufficient to have the required licenses as long as your certificate settings are correct(set to Cisco CA) and have a functioning smart-account integration. Are you having issues getting the CSRs signed?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Electronic20 · ‎07-12-2024

Hi @Torbjørn

sorry.

Thank you, I have a question, is it necessary to have active Cisco support for CIsco to approve my Certificate? Or is it just enough to renew the license?