Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
1
Helpful
8
Replies

Expiring SD WAN controller certificates

Electronic20
Spotlight
Spotlight

‎07-09-2024 08:29 AM

Hi Community,

I have an SDWAN solution in the Cisco cloud, 2 vBond, 2 vSamrt and 1 vManage, and it is observed that their certificates are about to expire:

Electronic20_0-1720538080608.png

Furthermore, it is observed in vManage that the authorization of the controller certificates is carried out by CISCO itself:

Electronic20_1-1720538227586.png

And these are my cEdge routers:

Electronic20_2-1720538638387.png

I have several queries:

1. If it is not renewed, what type of service would be affected?

2. Under this scenario, how could I update the Controllers' certificate if Cisco itself authorizes the certificates?

3. Also, when I update the certificates, it would only be in the controllers? Or does something else have to be done on the cEdge routers?

4. During the update of the certificates in the Controllers, would the service be affected?

 

Waiting for support with my query

Regars

Electronic20

 

 

Labels:
0 Helpful
8 Replies 8

Torbjørn
Spotlight
Spotlight

‎07-09-2024 09:58 AM - edited ‎07-09-2024 09:58 AM

I must admit that I haven't had to do a renewal with Cisco managed certificates yet. I do believe you will need to generate the CSR for your controllers yourself, but then they will be automatically signed and installed.

If you don't renew the certificates all control-connections will drop, as these certificates are used to authenticate the components. Replacing the controller certificates shouldn't cause downtime if you follow the procedure described in the following documentation(renewing the certificate for one controller at a time):

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-controller-cert-deploy-guide.html#Renewcontrolcomponentcertificates

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/manage-certificates.html#id_109050

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Electronic20
Spotlight
Spotlight
In response to Torbjørn

‎07-09-2024 12:25 PM

Hi @Torbjørn 

Would any changes have to be made to the Cedge routers? Or would it be enough to just update the Controllers certificate?

 

0 Helpful

Torbjørn
Spotlight
Spotlight
In response to Electronic20

‎07-09-2024 01:16 PM

What is the "Hardware WAN Edge Certificate Authorization" and "WAN Edge Cloud Certificate Authorization"(if you have any) set to?

If they are set to the defaults of "On box" for the hardware devices and "Automated" for cloud devices you won't have to do anything for renewal of the wan-edge certificates.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Electronic20
Spotlight
Spotlight
In response to Torbjørn

‎07-09-2024 01:37 PM

Hi @Torbjørn 

It has that configuration:

Electronic20_0-1720556990783.png

It is seen that the authorization of the certificate is carried out directly by CISCO

Electronic20_2-1720557247464.png

Under this scenario, wouldn't it be necessary to make any changes and/or certificate updates or other types of configuration on the cEdge routers? Would it only be to update the certificate only in the Controllers?

 

 

 

 

 

 

 

 

0 Helpful

Torbjørn
Spotlight
Spotlight
In response to Electronic20

‎07-09-2024 01:54 PM

Yes, that is correct.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Electronic20
Spotlight
Spotlight
In response to Torbjørn

‎07-12-2024 08:06 AM

Hi @Torbjørn 

Gracias, tengo una pregunta, ¿Es necesario tener soporte activo de Cisco para que CIsco me apruebe el Certificado? ¿O solo basta renovar la licencia?

 

0 Helpful

Torbjørn
Spotlight
Spotlight
In response to Electronic20

‎07-12-2024 08:57 AM

Hi @Electronic20,

I unfortunately don't speak spanish - so I google translated it and think you are asking if a valid support contract is required to renew the certificates. To quote the documentation:

"The major difference between Symantec/Digicert and Cisco PKI certificates is that Cisco PKI certificates are linked to a Smart Account (SA) and Virtual Account (VA) in Plug and Play (PnP) and do not require manual approval using a portal like Digicert. Each VA has a limit of 100 certificates, meaning that each overlay has a limit of 100 certificates, and after the certificate signing request (CSR) is generated, the approval and installation happens automatically if the Cisco SD-WAN Manager settings are set correctly." 

I interpret that to mean that it is sufficient to have the required licenses as long as your certificate settings are correct(set to Cisco CA) and have a functioning smart-account integration. Are you having issues getting the CSRs signed?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Electronic20
Spotlight
Spotlight
In response to Torbjørn

‎07-12-2024 09:23 AM

Hi @Torbjørn 

sorry.

Thank you, I have a question, is it necessary to have active Cisco support for CIsco to approve my Certificate? Or is it just enough to renew the license?

 

0 Helpful
Customers Also Viewed These Support Documents