Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
2
Helpful
4
Replies

How to renew Certificate Expire

Go to solution
ADC Lane
Level 1
Level 1

‎11-20-2023 06:49 PM

Hi Experts, 

I would like to ask about renew certificate for controller.

I am using Cisco Automated Certificate and controllers at Cloud of Cisco, Expired Date is early of 2025 year. So after 2 years, how can I renew this certificate , are there any document to guide ? 

Thank you so much !

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanan Huseynli
VIP
VIP

‎11-22-2023 12:04 PM

To renew the controller certificates, you need to follow the appropriate process based on your deployment
type and certificate type:

[omitted]

In the Cisco SD-WAN Manager Settings page, there is an option for Symantec Automated or Cisco
Automated where automated refers to automatic submission of CSRs and retrieval of certificates. The
option does include automation of certain steps of the process, compared to the manual option. However,
the step to trigger the generation of CSRs for each controller is still manual, to be done by you, to initiate
the renewal process.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/knowledge-base/CloudOps/b-cisco-sdwan-cloudops/m-cert-management.pdf

So, you need to generate CSRs, then it will trigger renewal process. I believe, as soon as you generate CSR (so CSR generated label is shown), then process will start.

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

4 Replies 4

Go to solution
Kanan Huseynli
VIP
VIP

‎11-22-2023 12:04 PM

To renew the controller certificates, you need to follow the appropriate process based on your deployment
type and certificate type:

[omitted]

In the Cisco SD-WAN Manager Settings page, there is an option for Symantec Automated or Cisco
Automated where automated refers to automatic submission of CSRs and retrieval of certificates. The
option does include automation of certain steps of the process, compared to the manual option. However,
the step to trigger the generation of CSRs for each controller is still manual, to be done by you, to initiate
the renewal process.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/knowledge-base/CloudOps/b-cisco-sdwan-cloudops/m-cert-management.pdf

So, you need to generate CSRs, then it will trigger renewal process. I believe, as soon as you generate CSR (so CSR generated label is shown), then process will start.

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Go to solution
ADC Lane
Level 1
Level 1
In response to Kanan Huseynli

‎11-23-2023 05:45 AM - edited ‎11-23-2023 06:56 AM

Hi @Kanan Huseynli 

Thank you so muchfor yours answer, I think I got it !

Could you help me one more question about certificate of SD-WAN ?

My situation:

In my lab, I using Manager (vManager) is CA. I create CA key and CA ROOT chain in Manager, when I create ROOT CA, I set days = 1000 ( Around 3 years) and use this ROOT CA to sign CSR of vBond and vSmart. After that, I show : show certificate installed, I saw day = 1000 , it's correct. BUT:

If I use this ROOTCA.pem to onboarding vEdge Cloud or CSR1000v (Use command: ..root-chain-cert installed <ROOTCA.pem> and request platform vedge-cloud active chassis .... token ...), device joined in Manager, but when I show: show (sdwan) certificate installed, I saw day = 10 Years. So, My question is: why do Certificates of Edge router set 10 Years ? (Maybe I dont understand, edge ruoter dont use ROOTCA.pem to join to vManager, or Manager overwrited CA ?) ...

Thank you in advance , Kanan !

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP
In response to ADC Lane

‎11-23-2023 12:50 PM

Hi,

because controller certificate settings and device certificate settings are different.

Most probably, you have enterprise option for controllers (thus you should generate CSR, sign with your CA which you manually created inside shell Linux of vManage, in this case), but for cloud routers (i.e virtual) you have vManage signed - this is another CA, automatic CA for cloud devices. Acutally, two different CA you have.

But let's verify this by Administration > Settings and look (share screen) what is chosen for controller certificate and cloud (virtual) devices.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Go to solution
ADC Lane
Level 1
Level 1
In response to Kanan Huseynli

‎11-23-2023 07:15 PM - edited ‎11-23-2023 07:25 PM

Hi @Kanan Huseynli 

Thank you so much ! 

If My edge is cloud router is I need check option: WAN Edge Cloud Certificate Authorization, if choose Automated, cloud router will use CA of manager to signed,and if choose Enterprise CA, Cloud router will enterprise CA to sign. Now my lab is using Automated option so, Day = 10 Years . If I choose my Enterprise CA, days will : 3 Years (Cloud Router use ROOT CA to signed)

ADCLane_0-1700794265535.png

In case of production environment, physical router: ex ISR 4000s, or C8000s, physical edge router will use: Hardware WAN Edge Certificate Authorization (On Box (TPM/SUDI Certificate) or Enterprise CA) , and On-Box will day = around 10 Years (This is default as link: https://community.cisco.com/t5/security-knowledge-base/cisco-secure-unique-device-identifier-certificate-expiration/ta-p/4257523), if Enterprise CA used, day is depend on my certificate.

Is my understanding correct ? Kanan !

 

0 Helpful
Customers Also Viewed These Support Documents